[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security flaw... kindda!

Subject: Re: Security flaw... kindda!
From: James Tolchard <email@hidden>
Date: Wed, 30 Apr 2003 14:36:50 +1200

On 29/4/03, Juan Manuel Palacios (email@hidden) said:

> What this means is that anyone with administrator access in a system
>with a stock sudores file can go in and claim ownership of root with
>that simple hack. What do the wise and knowledgeable people of this
>forum have to say about that? Should we freak out just now or...? I'll
>try to hold my breath until I've read some of the opinions I'll,
>hopefully, get in reply!

When someone has admin access, you are effectively giving them ALL=(ALL) ALL
access for sudo, among other things. Personally I'd only be giving admin access
to people I trust.

Why not create a system group called something like "subadmins", add the desired
less-access-than-root-but-more-access-than-plebs people to that group, then
create a group specification in /etc/sudoers granting access to the specific
commands you would like them to be able to use.

The sudoers manpage has a good example on creating just such a tiered
administration scheme, using "full time admins", "part time admins" and
"webmasters" as examples of three different levels of superuser access required.
man sudoers for more information.

Cheers
James
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.

References:
	>Security flaw... kindda! (From: Juan Manuel Palacios <email@hidden>)

Prev by Date: Re:forcing wgm changes immediately
Next by Date: Re: Rsync
Previous by thread: RE: Security flaw... kindda!
Next by thread: Re: Security flaw... kindda!
Index(es):
- Date
- Thread

Home