theoretical question - can root's username be changed?

Mike McCarty mike.mccarty at sbcglobal.net
Fri Dec 2 21:24:45 UTC 2005


Craig White wrote:
> On Fri, 2005-12-02 at 14:14 -0600, Mike McCarty wrote:

>>One cannot configure sudo such that one can "vi /etc/one_special_file"
>>but not "vi /etc/another_special_file".
> 
> ----
> I am DEFINITELY not an expert on sudoers file but...

Nor am I.

> # tail -n 5 /etc/sudoers
> Cmnd_Alias IPOD=/sbin/modprobe -r sbp2
> Cmnd_Alias EJECT=/usr/bin/eject /dev/sda2,/usr/bin/eject /dev/sdb2
> # User privilege specification
> craig   ALL=(ALL) ALL
> craig   ALL= NOPASSWD : IPOD, EJECT
> 
> makes me believe that I could only use modprobe and eject as prescribed
> if I didn't have the ALL=(ALL) ALL designation.

Yes, one can restrict what commands get used. But one cannot
restrict what one does with that command.

For example, suppose I need a user who can move a file
to a backup area, and then create a new one using some editor
or other. I can "unleash" mv and the editor, but then
I cannot (AFAIK) prevent that user from using mv or the
editor on *any* file.

Mike
-- 
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!




More information about the users mailing list