Re: root group in solaris : Tools

Mike Kuriger writes:

sodo provides logging, and commands suck as /bin/sh etc can be put into
a group in /etc/sudoers and forbidden. then add users to the wheel
group who need sudo access. of course there are ways around the
forbidden things. you can be specific with which commands they can run
so that they don't write shell scripts and run them with sudo to bypass
the forbidden binaries.



Cmnd_Alias SHELLS = /sbin/sh,\
/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\

/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh

Cmnd_Alias FORBIDDEN = /bin/passwd root,/bin/su,/sbin/su

%wheel ALL = (ALL) ALL,!SHELLS,!FORBIDDEN

Doesn't help. If you allow the user to sudo any program that allows them
to shell out (i.e. vi, more) they can get a root shell.

If you need to stop people with sudo access from getting a root shell
you need to have only allow lists, not deny lists. And, obviously, you
need to be very careful about what programs you allow them.

I did once hack up both vi and more so users couldn't shell out, but
unfortunately that code is long gone.

--
Michael T Pins | "It is not knowable how long that conflict
mtpins@xxxxxxxxx | (Iraq) would last. It could last, you know,
keeper of the nn sources | six days, six weeks. I doubt six months."
ftp://ftp.nndev.org/pub | - Donald Rumsfeld, Feb 7, 2003