LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Sudo access (http://www.linuxquestions.org/questions/linux-newbie-8/sudo-access-4175431310/)

skp 10-09-2012 06:15 AM

Sudo access
 
Hi,

I have sudo access for doing system admin tasks.But if i run sudo screen i immediately login as root and get root privileges. Is there any way to stop this loop hole? Please let me know

acid_kewpie 10-09-2012 06:27 AM

What loophole? You provide credentials as per mandated in the sudoers file... it's working correctly. I presume you would say that running "sudo -i" is also this same loophole?

skp 10-10-2012 12:53 PM

I have checked the privileges for it in the /etc/sudoers files, everything seems to be fine. The scenario is i do not have privileges to edit the httpd conf file. But when i run sudo screen, i login to the screen as root and then i can able to edit the http conf file. How do i block the root access.

TobiSGD 10-10-2012 01:04 PM

You are doing it the wrong way. sudo is a program that can be used to give a user root access to specific applications. You define those applications in the sudoers file. if you don't want to be able to run screen as root don't add screen to your program list in that file. With sudo you have to be very careful and test every application that you add to the list if there are ways to break out from it as root. For example, you shouldn't allow to use Vim or Emacs as root with sudo, since both are able to start shells, which would be started as root in that case.

So the solution for your problem is not to block single applications, but to not allow them in the first place.

acid_kewpie 10-10-2012 01:51 PM

As above, there IS no problem. Yes, everything looks correct, as it probably is.

Quote:

Originally Posted by TobiSGD (Post 4802367)
For example, you shouldn't allow to use Vim or Emacs as root with sudo, since both are able to start shells, which would be started as root in that case.

Well i'd say the more obvious reason is that that would allow the user to edit /etc/sudoers!


All times are GMT -5. The time now is 02:41 PM.