Re: Access to nfs server, Part 2
From: Scott Gifford (sgifford_at_suspectclass.com)
Date: 07/23/04
- Previous message: mike_at_genxweb.net: "Re: Hack attempt"
- In reply to: Kevin Johnson: "Re: Access to nfs server, Part 2"
- Next in thread: Kyle Maxwell: "Re: Access to nfs server, Part 2"
- Reply: Kyle Maxwell: "Re: Access to nfs server, Part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Kevin Johnson <kjohnson@secureideas.net> Date: Fri, 23 Jul 2004 12:14:05 -0400
Kevin Johnson <kjohnson@secureideas.net> writes:
> I believe that using sudo to give the developer access to what ever
> commands he needs to run should prevent the 'su - <username>' trick.
> I am always leery of giving someone root access to any machine on my
> network if I don't trust him on EVERY machine.
This will only work if you're very careful of what commands you allow
them to run, and the commands are designed to be run with elevated
privileges. Otherwise the developer may be able to use command-line
options or interactive commands to get into a shell or otherwise run
arbitrary commands.
For example, let's say you put a command in sudoers to allow a
developer to edit /etc/services with vi. Once vi starts up, they can
simply use :! to run commands as root. There are many variations on
this sort of attack/abuse, and it can be quite difficult to find them
all.
-----ScottG.
- Previous message: mike_at_genxweb.net: "Re: Hack attempt"
- In reply to: Kevin Johnson: "Re: Access to nfs server, Part 2"
- Next in thread: Kyle Maxwell: "Re: Access to nfs server, Part 2"
- Reply: Kyle Maxwell: "Re: Access to nfs server, Part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
