On Feb 5, 2008, at 3:01 PM, Josh Welch wrote: > Quoting Eric F Crist <ecrist at secure-computing.net>: > >> On Feb 5, 2008, at 2:04 PM, Josh Welch wrote: >>> >>> Note that the proper approach here would be to simply disallow >>> doing a >>> sudo to su if you're on a multi-user system where such things >>> matter. >>> One of the nice things about sudo is that you can specify with a >>> fair >>> degree of granularity what users are allowed to issue what >>> commands as >>> the superuser. >> >> >> Hardly a work-around as I could execute sudo <favorite_shell_here>. > > Ummm, what makes you think I gave you the access to `sudo bash` if I > didn't give the access to `sudo su`? ;) You said you would disallow doing a sudo to su. You said nothing about disallowing other commands. My point is that there are other ways to obtain a root shell without going the su route. As someone else mentioned, vim, emacs, poorly written shell scripts dumped into $PATH, etc. The more secure, or safer, method may be to white-list rather than black-list. At least, that's been my experience. ----- Eric F Crist Secure Computing Networks