Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems 'su'ing into the root user

On Aug 22, 2006, at 5:45 PM, Ian Ward Comfort wrote:

On Aug 22, 2006, at 2:32 PM, Michael Johnson wrote:
You can also restrict the commands the person can run by doing something like:

Cmnd_Alias SUPPORT = /usr/bin/less, /bin/more, /bin/chmod, /bin/ chown, /bin/cat

and then:

username         ALL=(root)      NOPASSWD: SUPPORT

This gives the person rights to run the listed commands as root, but nothing else.

Realize that this particular combination gives a malicious user a root shell if (s)he wants one.

Give anyone the ability to chmod/chown as root, then of course. It was just an example. You are of course going to be more careful, and not give any sudo access to anyone you can't trust.

Before we get into some pointless argument about trust, just stop. That's not the point of the example. It was just that...an example.

-Michael

---------------------------------------
O it is excellent to have a giant's strength; but it is tyrannous To use it like a giant.
--Shakespeare, Measure for Measure, Act II

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Re: Problems 'su'ing into the root user (From: David Rocamora <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: Michael Johnson <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: Ian Ward Comfort <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.