From owner-freebsd-stable  Mon Oct  9 18: 5:30 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from freeway.dcfinc.com (cx74889-a.phnx3.az.home.com [24.1.193.157])
	by hub.freebsd.org (Postfix) with ESMTP id 16C2737B66C
	for <stable@FreeBSD.ORG>; Mon,  9 Oct 2000 18:05:28 -0700 (PDT)
Received: (from chad@localhost)
	by freeway.dcfinc.com (8.8.8/8.8.8) id SAA27750;
	Mon, 9 Oct 2000 18:05:25 -0700 (MST)
	(envelope-from chad)
From: "Chad R. Larson" <chad@DCFinc.com>
Message-Id: <200010100105.SAA27750@freeway.dcfinc.com>
Subject: Re: Security problem with "script"?
In-Reply-To: <Pine.BSF.4.21.0010071640460.7433-100000@topperwein.dyndns.org> from Chris BeHanna at "Oct 7, 0 04:41:13 pm"
To: behanna@zbzoom.net
Date: Mon, 9 Oct 2000 18:05:25 -0700 (MST)
Cc: stable@FreeBSD.ORG
Reply-To: chad@DCFinc.com
Organization: DCF, Inc.
X-O/S: FreeBSD 2.2.8-STABLE
X-Unexpected: The Spanish Inquisition
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

As I recall, Chris BeHanna wrote:
> On Sat, 7 Oct 2000, Warner Losh wrote:
> > No.  script forks a shell.  sudo tells you to do that as root.  It is
> > merely complying.
> 
>     Er, wouldn't that give a user root access to do anything he or she
> wanted?

Not unless said user was in the sudoers list, and allowed to run a
shell (or something that can spawn a shell, like vi).

Security is not simple, and is always diametrically opposed to
convenience.

	-crl
--
Chad R. Larson (CRL15)   602-953-1392   Brother, can you paradigm?
chad@dcfinc.com         chad@larsons.org          larson1@home.net   
DCF, Inc. - 14623 North 49th Place, Scottsdale, Arizona 85254-2207


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message