|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Access to nfs server, Part 2
From: Scott Gifford (sgifford
suspectclass.com)
Date: Fri Jul 23 2004 - 11:14:05 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Kevin Johnson <kjohnsonsecureideas.net> writes:
> I believe that using sudo to give the developer access to what ever
> commands he needs to run should prevent the 'su - <username>' trick.
> I am always leery of giving someone root access to any machine on my
> network if I don't trust him on EVERY machine.
This will only work if you're very careful of what commands you allow
them to run, and the commands are designed to be run with elevated
privileges. Otherwise the developer may be able to use command-line
options or interactive commands to get into a shell or otherwise run
arbitrary commands.
For example, let's say you put a command in sudoers to allow a
developer to edit /etc/services with vi. Once vi starts up, they can
simply use :! to run commands as root. There are many variations on
this sort of attack/abuse, and it can be quite difficult to find them
all.
-----ScottG.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]