Re: sudo and command line expansion
From: all mail refused (elvis@notatla.demon.co.uk)
Date: 12/18/02
- Next message: Security Alert: "SSRT2358 Security Vulnerability in OnLineJFS 3.1 (rev. 1)"
- Previous message: Ali-Reza Anghaie: "Re: sudo and command line expansion"
- In reply to: Ali-Reza Anghaie: "Re: sudo and command line expansion"
- Next in thread: Felix Havemann: "Re: sudo and command line expansion"
- Reply: Felix Havemann: "Re: sudo and command line expansion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: elvis@notatla.demon.co.uk (all mail refused) Date: Wed, 18 Dec 2002 06:56:12 +0000 (UTC)
In article <mMCcnYrzaLvEVWKgXTWcow@giganews.com>, Ali-Reza Anghaie wrote:
>Kent Smith wrote:
>> Furthermore, IT WOULD BE LOGGED, so you could see if anyone it trying
>> this on your machine. You *are* logging sudo aren't you?
>>
>> Security isn't worth much without reasonable monitoring.
>
>Just another note on what I'm hoping would be obvious but I've seen people
>do wrong... don't allow sudo access to another user shell unless you really
>want a person to be root. Don't give sudo access to something that can make
>shells calls outside of itself as well (i.e. :!<command> in vi). Etc.
Or to files that are writable by non-root or under directories writable
by non-root. I frequently have to nag my should-know-better SAs over this.
-- decoy mail addresses: obtain username via 0x4f/tcp or 0x50/tcp send sir_nat_the_brat@hotmail.com to submit@spamarchive.org
- Next message: Security Alert: "SSRT2358 Security Vulnerability in OnLineJFS 3.1 (rev. 1)"
- Previous message: Ali-Reza Anghaie: "Re: sudo and command line expansion"
- In reply to: Ali-Reza Anghaie: "Re: sudo and command line expansion"
- Next in thread: Felix Havemann: "Re: sudo and command line expansion"
- Reply: Felix Havemann: "Re: sudo and command line expansion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
