Re: SUMMARY : sudo program

From: Sheryl Coppenger (sheryl@eesun.gwu.edu)
Date: Wed Jul 10 1991 - 18:39:23 CDT


I apologize for not thinking about this when the request went out
and sending it in time to be in the summary.

The shell programs aren't the only dangerous ones. You don't want
to give a person sudo access to the "nice" command either. For
the user with (essentially) setuid root access to nice can do
interesting things like "nice vi /etc/passwd" or "nice kill -9 nnnnnn".
I found out about this when another administrator at my former job
made nice setuid without realizing it could be used to do more than
set priorities. The users went wild.

The system in question was an HP9000, but I bet the same thing happens
on Suns. The reason I mention this in connection with sudo is that
after the events described above I typed in sudo and tried it with
nice with the same results. I haven't looked at the versions on
the net.

If there are any more follow-ups, rebuttals or discussions, I will
be happy to receive the replies and summarize for the mailing list.

-- 

Sheryl Coppenger SEAS Computing Facility Staff sheryl@seas.gwu.edu The George Washington University (202) 994-6853



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:21 CDT