Problems with sudo

Dan Ritter dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org
Fri Nov 27 19:23:09 EST 2009


On Fri, Nov 27, 2009 at 02:39:37PM -0500, Matt Shields wrote:
> On Fri, Nov 27, 2009 at 2:24 PM, Matt Shields <matt-urrlRJtNKRMsHrnhXWJB8w at public.gmane.org> wrote:
> 
> > Is there anyone on the list that has some suggestions on securing sudo?
> > For years we've used sudo to give our developers and qa access to production
> > servers run cat, less, more and tail to view logs, but nothing else.  But a
> > recent know it all developer who seems to think that he shouldn't abide by
> > rules has figured out that in less if you hit ! then /bin/bash he can get a
> > root shell.  Anyone know of a way of forbidding dropping to shell from any
> > of these applications?

Why, yes. And best of all, it works across all apps, even ones
you haven't seen yet.

  From: senior_manager
  To: all_dev_staff, all_qa_staff
  Subject: Policy on root privileges

  I'd like to clarify our new formal policy on root privileges.
  For future reference, you can find this on our internal wiki
  at http://wiki.internal.example.com/view=dev/policy

  Root or administrative privileges are available by default for
  your desktop (or laptop) systems. You must keep the existing
  /etc/sudoers file intact to allow sysadmin staff to assist
  you.

  No one will directly use a root or administrative privileged
  account on any development or production system, except for
  authorized sysadmin staff. Privileges may be granted via
  'sudo' for specific users on specific machines. Such
  permissions are likely to be quite restrictive -- only
  specific commands may be run. Do not assume that because a
  given program allows an escape to shell, that shell is
  authorized. It is not.

  Attempting to violate this policy once will result in a
  warning. A second attempt will probably be considered grounds
  for termination of employment.

  If you think you need expanded privileges on any machine,
  please contact the sysadmin staff at sysadmin-hcDgGtZH8xNBDgjK7y7TUQ at public.gmane.org, or 
  by calling the help desk at xHELP. In an emergency, call xHELP
  and request an immediate page of on-duty staff.

  Any questions? Send me private email.

  Senior Manager
  Example Corp

Or a message to that effect.

You can't stop a sufficiently clever person, especially one who
is already trusted and inside your network. You can stop a
sufficiently ethical or sensible person -- and you don't want
any other sort working with you.

-dsr

-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.





More information about the Discuss mailing list