-
August 3rd, 2004, 07:52 AM
#11
As SirDice was kind enough to point out,
you shouldn't allow any kind of program that has more than one function, let alone a function to edit / open files as the root user to be used with sudo (in the /etc/sudoers)
That way noone will be able to edit the /etc/shadow, /etc/password or /etc/sudoers or even worse files . . .
The only file allowed to be "su-done" on my system is a shellscript that chroots the home of the user and then drops back to the lower rights user..
The only thing you have to be realy realy carefull about is not to allow to much !!!
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
August 3rd, 2004, 10:44 PM
#12
Sudo, being a program by Todd Miller at www.courtesan.com is pretty much an essential program in most implementations of *NIX these days.
The default installation goes into /usr/local/bin (sudo) and /usr/local/sbin (visudo).
The man pages are located at the author's site: here
Implementation is everything, as always, and correctly used, can provide a lot of ease to the systems administrators and those that write scripts that need "root" access, etc...
Of course, if you do this:
Code:
username ALL=(ALL) NOPASSWD: ALL
You might as well just say "here's the keys, take the car out!"....
It's got group aliasing, host aliasing, command aliasing, everything...you can narrow it down to IP-based machines, etc...it's come a long ways!
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
August 3rd, 2004, 10:50 PM
#13
Originally posted here by hacker_vk
thx again !! the_JinX, SirDice.
Right Now my head is in the sudo-link...dupppp..
Hey..one sec.. another Doubt.
Assume if I could change "passwd" file for myself to be root. Then I CAN do anything with "/etc/sudoers" file & also I can remove entries from it's log files.
Isn't that a hole. If not then what's the patch.
Thx again in advancE.
If you could change /etc/passwd to begin with, either /etc/passwd would be world-writeable or you'd already be equivalent to 'root' and you wouldn't need to touch sudo, which by default doesn't allow root to run it. A rather off-base question because if you're already root-equiv (UID: 0), then it doesn't matter...you can shut off syslog, change routing and networking tables, etc...install backdoors, fatal suid progs, set eth0 to promiscuous, replace binaries with your own mix, the usual....
So no, it's not a "hole"....
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|