Date: Tue, 9 Jul 1996 22:42:41 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: taob@io.org (Brian Tao) Cc: freebsd-security@freebsd.org Subject: Re: sudo Message-ID: <199607100542.WAA06366@kdat.calpoly.edu> In-Reply-To: <Pine.NEB.3.92.960709200721.18177A-100000@zap.io.org> from "Brian Tao" at Jul 9, 96 08:08:28 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> What are people's feelings towards the "sudo" utility? Is it > really all that usefull, or does it just open up a lot of potential > avenues of attack and abuse? Some of our co-located customers want to > have it installed so they can do some root-privileged stuff, instead > of getting us to do it all the time (even though that's what they pay > us to do). Sudo is useful for a lot of situations, but remember it is equivalent to giving said user a uid of zero. There is no way to keep a user with sudo access from getting root. As long as you remember that, you're ok. Second, something you said bothers me. They want to do root stuff even though you are paid to do that. Be very careful here with responsibility. What happens when they call you up complaining that no one but root can run commands? How long will it take you to find that the customer accidentally did a chmod 700 /? (actual case). What if it's something more subtle? Are you and they willing to accept the fact that it might take you extra time and/or money to clean up after them? Lastly, be careful what version of sudo you get. The version distributed a while back (and included in a popular sysadmin book!) used popen() to send mail when a user wasn't in the sudoers file. Hey, then you can put yourself in the sudoers file.. a feature! -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607100542.WAA06366>