Re: root group in solaris



Tonnerre Lombard <tonnerre.lombard@xxxxxxxxxx> wrote on 09/26/2006
10:38:40 PM:
On Tue, 2006-09-26 at 17:09 -0700, Jonathan Leffler wrote:
What if one of the commands is /bin/ksh? Or if the person in
question
runs sudo /bin/ksh?

Download the source (v1.6.3 is available from SourceForge). Try it.
[...]

This is absolutely clear to me. I was thinking more in the lines of
"Wouldn't that give the user the right to do whatever he wants, even if
he didn't initially get the permission to do it in /etc/sudoers, and
wouldn't that give the user even the right to _change_ /etc/sudoers?"

Sorry - I misunderstood your concern.

Yes, it gives the user permission to do whatever he wants (which isn't
quite the same as the right to do whatever he wants - but the difference
would take some explaining). And yes, as I mentioned, the user could
change the sudosh log files, and /etc/sudoers, and so on.

I generally take the view that if you can't trust the users with root
privileges, you are in for a very difficult time - usually stated in the
more absolute form "root can do anything", where anything includes erasing
or replacing the o/s (though the reboot can be tricky over a network). It
might be over-simplistic as a view; it isn't too far removed from the
truth.

--
Jonathan Leffler (jleffler@xxxxxxxxxx)
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"



Relevant Pages