[Mageia-sysadm] Usernames, uids, and groups
Luca Berra
bluca at vodka.it
Wed Nov 10 18:40:58 CET 2010
On Wed, Nov 10, 2010 at 06:25:38PM +0100, nicolas vigier wrote:
>On Wed, 10 Nov 2010, Luca Berra wrote:
>
>> On Wed, Nov 10, 2010 at 01:32:47PM +0100, Michael Scherer wrote:
>>> Le mercredi 10 novembre 2010 à 11:55 +0100, nicolas vigier a écrit :
>>>> On Wed, 10 Nov 2010, Luca Berra wrote:
>>>>
>>>> > 2) Accountability. No idea in France, but here system administratros
>>>> > need to be accounted (*).
>>>>
>>>> When someone runs "sudo su -" or something equivalent there is no
>>>> accountability on what he did after that.
>>>
>>> Even more cunning, emacs or vim can run process ( except that vim has a
>>> mode where it can prevent it with -Z, do not know for emacs ).
>>
>> it is better to use sudoedit for editing files, it will copy the
>> original file to a temporary copy, revert to caller uid, let user edit
>> the file, and move it into place afterwards.
>
>Unless the list of files you are allowed to edit is very limited, it is
>very easy to open a root shell by editing a config file.
not with sudoedit
>> another options is using noexec (sudo will preload a shlib overriding
>> exec calls)
>
>But you have an editor running as root, and you can then edit any file.
the idea is that the editor runs as unprivileged user
--
Luca Berra -- bluca at vodka.it
More information about the Mageia-sysadm
mailing list