Date: Sat, 13 Jul 1996 02:01:54 -0400 (EDT) From: Brian Tao <taob@io.org> To: Peter Howlett <phowlett@ASG.unb.ca> Cc: FREEBSD-SECURITY-L <freebsd-security@FreeBSD.ORG> Subject: Re: sudo Message-ID: <Pine.NEB.3.92.960713015314.27070g-100000@zap.io.org> In-Reply-To: <Pine.A32.3.93.960709214758.14947A-100000@angus.ASG.unb.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 9 Jul 1996, Peter Howlett wrote:
>
> There are of course many other more obscure ways of getting a root
> shell as well, depending on what you allow in the sudoers file.
One innocent request for sudo access made by a customer who
wanted to chown Web pages to the proper userid once he had finished
designing and writing them (they have customers of their own on their
server). That also means he could chmod 4555 a copy of /bin/sh and
then chown it to root... :(
The more I think about it, the more instances I see where sudo is
a greater potential liability than a benefit. The above situation can
be adequately solved by assigning multiple usernames to the same uid,
so that our customer and their customer can have separate mailboxes
and passwords, but still work on the files without worrying about
group permissions.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960713015314.27070g-100000>