rename root

Fabio Fracassi turiya at linuxfromscratch.org
Wed Oct 17 08:34:45 PDT 2001


On Wednesday 17 October 2001 12:09, Simon Geard wrote:
> On Thursday 18 October 2001 00:36, Fabio Fracassi wrote:
> > It is possible, but from a security Viewpoint not very advisable.
> > Another acount is another possible hole, and a hole with root privileges
> > is a severe danger.
> >
> > BTW, what good should it do?
> > If you need privileges for other users use groups/su or sudo.
>
> Making sure to use your brain when configuring sudo. As I've mentioned a
> while back, the configuration used at my workplace has a number of
> interesting holes.
>
> For example the following commands can be run as root:
>     vi /path/to/whatever/file
>     sh start.sh *
>
> The former fails to account for the fact that once vi is running as root,
> you can then open any other file on the system, or run a shell. The latter
> does not specify a path for the script to be run, so that any script called
> start.sh can be run.
>
> There are several other variations on this theme.
>
> Simon.

When dealing with security sensitive things one should always be very careful.
Your examples above sound like very sloopy administration. 
One has to always make sure that the program that is granted root access is 
doing exactly what it should. Especially programms that allow shell calls are 
absolute donots.
If you are not sure wether a program allows more then you intend it to, write 
a wrapper script (write protectet of course), that enforces your restrictions.

But all that is also stated in the Documentation of sudo, and rather evident 
I think.

Also it is very seldom needed, at all, but if you need some root access it is 
better and safer than having two root accounts.

Fabio
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list