HPE Community
Operating System - HP-UX
1835962 Members
2159 Online
110088 Solutions
New Discussion

Re: Sudo Problems

 
Daniel Crow
Occasional Advisor

‎10-09-2001 12:04 PM

‎10-09-2001 12:04 PM

Sudo Problems

I was going about some sudo file maintanence this evening and found that if a user were to have sudo privliges to chmod or chown they could simply change their access or anyones access in the sudoers file simply by modifying their rights to the file. Does anyone have a solution for this?

I could put it on an nfs drive and mount it as read only but that seems so cumbersome. There has to be a more viable solution.

I know giving chmod / own rights to a user is a bad thing but it is necessary in this case. I guess giving them rights to chmod or chown at all gives them pretty much free run of the machines they are on. Maybe this is a no win situation.
0 Kudos
Reply
3 REPLIES 3
harry d brown jr
Honored Contributor

‎10-09-2001 12:11 PM

‎10-09-2001 12:11 PM

Re: Sudo Problems

especially if they did this:

cp /usr/bin/ksh myksh
chown root bin myksh
chmod 4777 myksh

then they could always have a "root" user, without sudo!
Live Free or Die
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

‎10-09-2001 12:15 PM

‎10-09-2001 12:15 PM

Re: Sudo Problems

If you really think about it, there really is not way to secure something like sudo...there has to be some amount of trust.

For example, there is nothing that prevents a user from doing something like the following:

cp /bin/ksh /tmp/myksh
chown root:root /tmp/myksh
sudo chmod 4555 /tmp/myksh

and now I have a ksh that has root privs.

The only other alternative is to write a suid program (not a script) that only does a specific thing, such as a chown, but even then you'd have to do so many checks that you're probably going to give up in frustration. :-)

-Santosh
Life is what's happening while you're busy making other plans
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎10-09-2001 01:43 PM

‎10-09-2001 01:43 PM

Re: Sudo Problems

I am not sure why I can't get it to work in this case, but for instance, to give users perms to change other users passwords and NOT roots, you do this..
users passwd, !passwd root

but
users chown, !chown /opt/sudo
does not seem to work.

This is the only way I know of to restrict what sudo commands do.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.