Sat, 12 Nov 2005
Sudo Article Promoted Bad Behaviour
I like sudo, it allows you to
give people (and automated jobs) more privileges without having to hand
out the root password. One of the more important aspects of its use is
restricting the commands a user can run. After all, limiting peoples
access to rootly powers doesn't help much if they can just shell out to
bash or edit the shadow file (or other important files) and locally
escalate their privileges.
Unfortunately a Linux.com sudo article shows new users a number of ways of doing this without explaining why it's a really bad idea. I understand that a lot of people just give themselves full root powers using sudo (hell I do on my own machines) but in an article pointed at beginners, especially one that has examples of using an interactive editor with sudo, the concepts need to be explained and some good practices presented. More why with the how please.
The highlight of the article for me was introducing new users to the 'sudoedit' and '-e' options: "but it uses the editor in your $EDITOR environment string". How often do you check the value in $EDITOR? Neither do I. And you're expected to blindly trust, with full root powers, whichever command it points to?
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2005/11/12 16:33 | /security | Permanent link to this entry | This entry + same date
Copyright © 2000-2005 Dean Wilson
