Re: Sudo question

From: Frye, Matthew (Matthew.Frye@REXHEALTH.COM)
Date: Mon Apr 19 2004 - 09:11:00 EDT

• Next message: Dieter Zavelberg: "Antw: telnet on port 25"
• Previous message: Holger.VanKoll@SWISSCOM.COM: "Re: Sudo question"
• Maybe in reply to: Miller, Dave (I.S.): "Sudo question"
• Next in thread: Miller, Dave (I.S.): "Re: Sudo question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> While "sudo sh" will work be aware that this will give the
> user running this command full root access. He/she will be in
> a shell as
> root - very dangerous.

Agreed. It's also a good idea to explicitly disallow such commands in
/etc/sudoers. Also consider disallowing "sudo su" and "sudo sudo su." Some
users will try anything to get root access.

> There is no easy way to get sudo to do this. You would think
> configuring something along the lines of "/bin/vi /foo/bar/*" would be
> the answer and this will allow the user to edit said files,
> but it will also allow the user to edit ANY file on the system. e.g.:
> "sudo /bin/vi /foo/bar/../../etc/sudoers" will work just fine!
>
> If anybody knows of a good way to do this (other than a
> wrapper script) please share. I'd be very interested in
> seeing how other
> people have solved this problem.

In such cases, I've left sudo out of the equation altogether and simply
created a new group, added that user and root to it, changed the group of
the files in question to that common group, then chmod 775 or 765 on that
file. Then the users can edit those files, without having root access at
all.

Matt Frye
Sr. Systems Programmer, RS/6000 Group
Rex Healthcare
(919) 784-3791

----- Confidentiality Notice -----
This e-mail and any attached documents contain confidential information belonging
to the sending entity, Rex Healthcare, and is intended only for the use of the
individual(s) or entity(s) associated with the recipient addresses listed in the message
header. The authorized recipient of this information is prohibited from disclosing this
information to any other party. If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution or action taken in reliance on the
contents of the email and/or attachments is strictly prohibited. If you received this
e-mail transmission in error, please notify the sender immediately to arrange for return
or destruction of this information.

To report abuse or inappropriate use, please email abuse@rexhealth.com.

• Next message: Dieter Zavelberg: "Antw: telnet on port 25"
• Previous message: Holger.VanKoll@SWISSCOM.COM: "Re: Sudo question"
• Maybe in reply to: Miller, Dave (I.S.): "Sudo question"
• Next in thread: Miller, Dave (I.S.): "Re: Sudo question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:50 EDT