theoretical question - can root's username be changed?
Mike McCarty
mike.mccarty at sbcglobal.net
Fri Dec 2 21:24:45 UTC 2005
Craig White wrote:
> On Fri, 2005-12-02 at 14:14 -0600, Mike McCarty wrote:
>>One cannot configure sudo such that one can "vi /etc/one_special_file"
>>but not "vi /etc/another_special_file".
>
> ----
> I am DEFINITELY not an expert on sudoers file but...
Nor am I.
> # tail -n 5 /etc/sudoers
> Cmnd_Alias IPOD=/sbin/modprobe -r sbp2
> Cmnd_Alias EJECT=/usr/bin/eject /dev/sda2,/usr/bin/eject /dev/sdb2
> # User privilege specification
> craig ALL=(ALL) ALL
> craig ALL= NOPASSWD : IPOD, EJECT
>
> makes me believe that I could only use modprobe and eject as prescribed
> if I didn't have the ALL=(ALL) ALL designation.
Yes, one can restrict what commands get used. But one cannot
restrict what one does with that command.
For example, suppose I need a user who can move a file
to a backup area, and then create a new one using some editor
or other. I can "unleash" mv and the editor, but then
I cannot (AFAIK) prevent that user from using mv or the
editor on *any* file.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
More information about the users
mailing list