Ask detail operate process about edit sudoers file by terminal
Matthew Miller
mattdm at fedoraproject.org
Fri Jun 14 19:05:34 UTC 2013
On Fri, Jun 14, 2013 at 01:51:42PM -0500, Steven Stern wrote:
> >>>>>> %wheel ALL=(ALL) ALL
> >>>> This line *IS* uncommented by default.
> >>> Hmmm... Maybe it's been so long since I've had to do it. In any case,
> >>> it was commented on the two CentOS 6 systems I just set up.
> >> In my sudoers, that line is commented out, and should be. You don't
> >> want everybody and his brother to have sudo privileges.
> > "Everybody and his brother" should not be in the wheel group. "Wheel" is the
> > group for people with administrative privledges on the system.
> OK, let's now have some fun....
> sudo cp /bin/bash /bin/mylocalshell
> sudo mylocalshell
> I know this is preventable, but it's something to think about. No one
> should have sudo who you would not trust with root itself. sudo just
> adds a layer of accountability.
I'm a little perplexed by your "fun". Maybe it is not obvious, but the above
line allows any member of the wheel group (but just members of that group)
to use sudo for any command, which, yes, allows the same access level as
root. I don't think anyone is suggesting otherwise. You can just skip right
to "sudo bash", or, probably better, "sudo -i".
It's also the case that once you have root, or group membership, unless a
full audit of all files on the system is performed, it's difficult to make
sure that that access is _gone_ -- you can't just remove someone from the
list. But that's another issue.
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm at fedoraproject.org>
More information about the users
mailing list