On Dec 6, 2012, at 1:35 AM, Kurt Buff <[email protected]> wrote: > On Wed, Dec 5, 2012 at 3:48 PM, Tim Daneliuk <[email protected]> wrote: >> On 12/05/2012 05:44 PM, Kurt Buff wrote: >>> >>> On Wed, Dec 5, 2012 at 3:19 PM, Tim Daneliuk <[email protected]> >>> wrote: >>>> >>>> I am working with an institution that today provides limited privilege >>>> escalation >>>> on their servers via very specific sudo rules. The problem is that the >>>> administrators can do 'sudo su -'. >>> >>> <snip> >>> >>> >>> sudo is misconfigured. >>> >>> man 5 sudoers and man 8 visudo >>> >>> >>> >>> Kurt >>> >> >> I'm sorry Kurt, I'm sort of dense today, I'm not sure what you're >> saying. Are you suggesting that there is a way to configure >> sudo so that if someone does 'sudo su -' to become an admin, >> sudo can be made to log every command they execute thereafter? > > No, I'm saying that sudo should not be configured to allow 'sudo su -'.
This is an ineffective solution. So what, you're going to forbid "sudo su -" Fine, I'll just run "sudo csh" . If you forbid csh, I'll just copy the existing `which csh` to ~/toto and "sudo ~/toto" . Basically, anything short of actually whitelisting what people can run won't do. And apparently that's not in Tim's list of desirable things ;) _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
