OT: Root access policy

Mike Clarke jmc-freebsd2 at milibyte.co.uk
Thu Dec 29 11:47:04 UTC 2011

On Thursday 29 December 2011, Damien Fleuriot wrote:


> "sudo su -" or "sudo sh" and the customer gets a native root shell
> which does *not* log commands !


> Say the customer can sudo commands located in
> /usr/local/libexec/CUSTOMER/
> All he has to do is write a simple link to sh/bash, and sudo it.

But if it's possible to determine exactly what commands the customer 
needs to run as root then putting suitable incantations 
into /usr/local/etc/sudoers should prevent the customer from being able 
to use tricks like that.

Mike Clarke

More information about the freebsd-questions mailing list