OT: Root access policy
Mike Clarke
jmc-freebsd2 at milibyte.co.uk
Thu Dec 29 11:47:04 UTC 2011
On Thursday 29 December 2011, Damien Fleuriot wrote:
[snip]
> "sudo su -" or "sudo sh" and the customer gets a native root shell
> which does *not* log commands !
[snip]
> Say the customer can sudo commands located in
> /usr/local/libexec/CUSTOMER/
>
> All he has to do is write a simple link to sh/bash, and sudo it.
But if it's possible to determine exactly what commands the customer
needs to run as root then putting suitable incantations
into /usr/local/etc/sudoers should prevent the customer from being able
to use tricks like that.
--
Mike Clarke
More information about the freebsd-questions
mailing list