Date: Tue, 10 Jun 2003 00:14:42 -0700 From: Jon DeShirley <jond@uidaho.edu> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: Removable media security in FreeBSD Message-ID: <3EE58562.1070601@uidaho.edu> In-Reply-To: <4.3.2.7.2.20030610010227.02a68ed0@localhost> References: <200306092254.QAA10240@lariat.org> <200306092254.QAA10240@lariat.org> <4.3.2.7.2.20030610010227.02a68ed0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 9 Jun 2003 Brett Glass wrote: > At 05:21 PM 6/9/2003, Doug Barton wrote: > >>On Mon, 9 Jun 2003, Brett Glass wrote: >> >>>Allowing the user to use sudo would effectively be giving him/her root >>>privileges, which we explicitly don't want to do. >> >>No it wouldn't. You can specify the commands that you allow each user to >>run. > > Ah, but letting the user mount and unmount things effectively lets that > person do anything he or she wants, by switching around what's mounted > at key mountpoints. Example: %users NOPASSWD:ALL=/sbin/mount /cdrom,/sbin/umount /cdrom What does this do? It allows users in the group 'users' to run the explicit commands ONLY. Now, unless you give them sudo access to vi /etc/fstab or something, there's no way '/sbin/mount /cdrom' is going to change behavior. btw, I would suggest reading the sudoers manual: http://www.courtesan.com/sudo/man/sudoers.html Cheers, --jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EE58562.1070601>