BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems with sudo

Subject: Problems with sudo
From: dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org (Dan Ritter)
Date: Fri, 27 Nov 2009 19:23:09 -0500
In-reply-to: <e7009c600911271139r1f460815g66085e46a96bd0d6-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
References: <e7009c600911271124h49e0a590y24b830dbb2d52d94@mail.gmail.com> <e7009c600911271139r1f460815g66085e46a96bd0d6@mail.gmail.com>

On Fri, Nov 27, 2009 at 02:39:37PM -0500, Matt Shields wrote:
> On Fri, Nov 27, 2009 at 2:24 PM, Matt Shields <matt-urrlRJtNKRMsHrnhXWJB8w at public.gmane.org> wrote:
> 
> > Is there anyone on the list that has some suggestions on securing sudo?
> > For years we've used sudo to give our developers and qa access to production
> > servers run cat, less, more and tail to view logs, but nothing else.  But a
> > recent know it all developer who seems to think that he shouldn't abide by
> > rules has figured out that in less if you hit ! then /bin/bash he can get a
> > root shell.  Anyone know of a way of forbidding dropping to shell from any
> > of these applications?

Why, yes. And best of all, it works across all apps, even ones
you haven't seen yet.

  From: senior_manager
  To: all_dev_staff, all_qa_staff
  Subject: Policy on root privileges

  I'd like to clarify our new formal policy on root privileges.
  For future reference, you can find this on our internal wiki
  at http://wiki.internal.example.com/view=dev/policy

  Root or administrative privileges are available by default for
  your desktop (or laptop) systems. You must keep the existing
  /etc/sudoers file intact to allow sysadmin staff to assist
  you.

  No one will directly use a root or administrative privileged
  account on any development or production system, except for
  authorized sysadmin staff. Privileges may be granted via
  'sudo' for specific users on specific machines. Such
  permissions are likely to be quite restrictive -- only
  specific commands may be run. Do not assume that because a
  given program allows an escape to shell, that shell is
  authorized. It is not.

  Attempting to violate this policy once will result in a
  warning. A second attempt will probably be considered grounds
  for termination of employment.

  If you think you need expanded privileges on any machine,
  please contact the sysadmin staff at sysadmin-hcDgGtZH8xNBDgjK7y7TUQ at public.gmane.org, or 
  by calling the help desk at xHELP. In an emergency, call xHELP
  and request an immediate page of on-duty staff.

  Any questions? Send me private email.

  Senior Manager
  Example Corp

Or a message to that effect.

You can't stop a sufficiently clever person, especially one who
is already trusted and inside your network. You can stop a
sufficiently ethical or sensible person -- and you don't want
any other sort working with you.

-dsr

-- 
http://tao.merseine.nu/~dsr/eula.html is hereby incorporated by reference.
You can't defend freedom by getting rid of it.

References:
- Problems with sudo
  - From: matt-urrlRJtNKRMsHrnhXWJB8w at public.gmane.org (Matt Shields)
- Problems with sudo
  - From: matt-urrlRJtNKRMsHrnhXWJB8w at public.gmane.org (Matt Shields)

Prev by Date: Problems with sudo
Next by Date: Common /home Across Distro Versions
Previous by thread: Problems with sudo
Next by thread: Problems with sudo
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org