[Mageia-sysadm] Usernames, uids, and groups
nicolas vigier
boklm at mars-attacks.org
Wed Nov 10 18:25:38 CET 2010
On Wed, 10 Nov 2010, Luca Berra wrote:
> On Wed, Nov 10, 2010 at 01:32:47PM +0100, Michael Scherer wrote:
>> Le mercredi 10 novembre 2010 à 11:55 +0100, nicolas vigier a écrit :
>>> On Wed, 10 Nov 2010, Luca Berra wrote:
>>>
>>> > 2) Accountability. No idea in France, but here system administratros
>>> > need to be accounted (*).
>>>
>>> When someone runs "sudo su -" or something equivalent there is no
>>> accountability on what he did after that.
>>
>> Even more cunning, emacs or vim can run process ( except that vim has a
>> mode where it can prevent it with -Z, do not know for emacs ).
>
> it is better to use sudoedit for editing files, it will copy the
> original file to a temporary copy, revert to caller uid, let user edit
> the file, and move it into place afterwards.
Unless the list of files you are allowed to edit is very limited, it is
very easy to open a root shell by editing a config file.
> another options is using noexec (sudo will preload a shlib overriding
> exec calls)
But you have an editor running as root, and you can then edit any file.
More information about the Mageia-sysadm
mailing list