Pick a Free OS

User login

Navigation

Psudo root!

ALL ALL=/usr/bin/wvdial

This allows ALL users to run on any host, as root, the command wvdial.

Finally the last line,

TRUSTED ALL=SHUTDOWN, KILL

Allows the users defined in the TRUSTED alias run on any host the commands defined in the SHUTDOWN and KILL alias.

This line would effectively expand to,

Let cnb, mayank, sacs run on ALL hosts as root the commands /sbin/shutdown, /sbin/halt, /bin/kill, /usr/bin/killall.

These examples are very rudimentary. One can create very powerful rules by using the sudo supported features of regular expressions and shell wildcards to build convenient and secure access control lists. All these are extensively documented in the sudoers(5) man page.

Security Concerns

sudo does numerous security checks before executing the requested command. It removes certain environment variables and checks the path for command spoofing. Yet, there are ways in which sudo access can be exploited to gain unauthorized root privileges if not carefully used.

For example, the following entry lets a person change Apache's configuration.

user ALL=/bin/rvi /etc/httpd/conf/httpd.conf

Using this seemingly innocuous entry a user could read in the /etc/shadow file, edit it and elevate himself to root privileges. This is possible even after we have used vi in the restricted mode because vi itself is running as root and can read and write any file using :r filename and :w filename.

Be very careful when you let a person write to a file. Be very sure that system files cannot be altered using the allowed access. Allowing the replacement of (updating) executables and libraries is a strict non starter. Beware of the danger of trojan introduction.

sudo is free software distributed under the BSD license and can be downloaded at here. The sudo website contains extensive documentation and pointers to various resources concerning sudo. So grab sudo and get rid of those dangerous setuid programs and shared root passwords.