Restricting users from certain privileges
Kurt Jaeger
lists at opsec.eu
Sat Apr 28 18:04:30 UTC 2012
Hi!
> > > Please do study sudo real power :-)
> > > It can give selective privileges per-command,
[...]
> > Just make sure none of the permitted commands has got the
> > feature of starting a shell ;-))
>
> Right, think of vi(1), less(1), et al.
Even this aspect is taken care of with sudo (at least to a certain limit):
NOEXEC and EXEC
If sudo has been compiled with noexec support and the underlying
operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
In the following example, user aaron may run /usr/bin/more and
/usr/bin/vi but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
how NOEXEC works and whether or not it will work on your system.
--
pi at opsec.eu +49 171 3101372 8 years to go !
More information about the freebsd-stable
mailing list