turiya at linuxfromscratch.org
Wed Oct 17 08:34:45 PDT 2001
On Wednesday 17 October 2001 12:09, Simon Geard wrote:
> On Thursday 18 October 2001 00:36, Fabio Fracassi wrote:
> > It is possible, but from a security Viewpoint not very advisable.
> > Another acount is another possible hole, and a hole with root privileges
> > is a severe danger.
> > BTW, what good should it do?
> > If you need privileges for other users use groups/su or sudo.
> Making sure to use your brain when configuring sudo. As I've mentioned a
> while back, the configuration used at my workplace has a number of
> interesting holes.
> For example the following commands can be run as root:
> vi /path/to/whatever/file
> sh start.sh *
> The former fails to account for the fact that once vi is running as root,
> you can then open any other file on the system, or run a shell. The latter
> does not specify a path for the script to be run, so that any script called
> start.sh can be run.
> There are several other variations on this theme.
When dealing with security sensitive things one should always be very careful.
Your examples above sound like very sloopy administration.
One has to always make sure that the program that is granted root access is
doing exactly what it should. Especially programms that allow shell calls are
If you are not sure wether a program allows more then you intend it to, write
a wrapper script (write protectet of course), that enforces your restrictions.
But all that is also stated in the Documentation of sudo, and rather evident
Also it is very seldom needed, at all, but if you need some root access it is
better and safer than having two root accounts.
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support