--On December 5, 2012 7:01:21 PM -0600 Tim Daneliuk <[email protected]>
wrote:
On 12/05/2012 06:35 PM, Kurt Buff wrote:
On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <[email protected]>
wrote:
On 12/05/2012 05:44 PM, Kurt Buff wrote:
On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <[email protected]>
wrote:
I am working with an institution that today provides limited privilege
escalation
on their servers via very specific sudo rules. The problem is that
the administrators can do 'sudo su -'.
<snip>
sudo is misconfigured.
man 5 sudoers and man 8 visudo
Kurt
I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're
saying. Are you suggesting that there is a way to configure
sudo so that if someone does 'sudo su -' to become an admin,
sudo can be made to log every command they execute thereafter?
No, I'm saying that sudo should not be configured to allow 'sudo su -'.
Since you say that the users are provided "limited privilege
escalation on their servers via very specific sudo rules", it seems to
me that one of three things is going wrong:
o- Something is wrong with the configuration of sudoers if they can su
to root when they shouldn't be able to do so
o- Someone has misconceived what "limited privilege escalation on
their servers via very specific sudo rules" actually means, and
deliberately has it configured to allows users to su to root
o- The users' accounts are already root equivalent, which, depending
on the version and configuration of sudo, might give them the ability
to sudo to root regardless of the contents of the sudoers file (see,
for instance, the screen in FreeBSD when you perform 'cd
/usr/ports/security/sudo' and then 'make config')
Kurt
Oh, OK, I wasn't being clear:
- *Some* users are granted the ability to do sudo su - These
are the sysadmins.
- All other user are given selective ability to run only a few
things via sudo. This varies by department and is controlled
through a combination of sudo rules and central LDAP group
membership control. This is necessary because, for example,
some DBAs need this when installing a particular client.
Install security/sudoscript.
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
