Date: Thu, 29 Dec 2011 11:46:59 +0000 From: Mike Clarke <jmc-freebsd2@milibyte.co.uk> To: freebsd-questions@freebsd.org Subject: Re: OT: Root access policy Message-ID: <201112291147.00042.jmc-freebsd2@milibyte.co.uk> In-Reply-To: <4EFC3FA3.1060603@my.gd> References: <CA%2BNe_iJfFK43CE%2BL2LHcqNSmv7AmRDYyAu4pXGFpd3QB%2By3p2w@mail.gmail.com> <20111229105847.e15848ba.freebsd@edvax.de> <4EFC3FA3.1060603@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 29 December 2011, Damien Fleuriot wrote: [snip] > "sudo su -" or "sudo sh" and the customer gets a native root shell > which does *not* log commands ! [snip] > Say the customer can sudo commands located in > /usr/local/libexec/CUSTOMER/ > > All he has to do is write a simple link to sh/bash, and sudo it. But if it's possible to determine exactly what commands the customer needs to run as root then putting suitable incantations into /usr/local/etc/sudoers should prevent the customer from being able to use tricks like that. -- Mike Clarke
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112291147.00042.jmc-freebsd2>