From owner-freebsd-questions  Mon Jul 19 12:35:49 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from twwells.com (twwells.com [209.118.236.57])
	by hub.freebsd.org (Postfix) with SMTP id 5B77215233
	for <freebsd-questions@freebsd.org>; Mon, 19 Jul 1999 12:35:47 -0700 (PDT)
	(envelope-from news@twwells.com)
Received: from news by twwells.com with local (Exim 1.71 #2)
	id 116J9r-000LoO-00; Mon, 19 Jul 1999 15:33:03 -0400
From: bill@twwells.com (T. William Wells)
To: freebsd-questions@freebsd.org
Subject: Re: how to watch the root user?
Message-ID: <7mvubh$2hht$1@twwells.com>
References: <7muo54$reg$1@twwells.com> <Pine.BSF.4.05.9907200015390.1033-100000@localhost.cgu.chel.su>
Date: Mon, 19 Jul 1999 15:33:03 -0400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In article <Pine.BSF.4.05.9907200015390.1033-100000@localhost.cgu.chel.su>,
Ilia Chipitsine  <ilia@cgilh.chel.su> wrote:
: sudo is also supposed to provide a restricted set of commands.
: what is the difference between those shells and sudo ?!

A "restricted shell" tries to be a complete shell, except that it
supposedly only allows certain programs to run or the user to
visit certain directories. That sort of thing. The thing is, it's
usually possible to get around the restrictions. For example, a
program that the user is allowed might allow the spawning of a
shell and there's a good chance it'll spawn /bin/sh instead of
$SHELL. And then there is echo 'gibberishthatexecs/bin/shell'
>foo; chmod 775 foo; foo. The list of holes is endless.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message