[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux_var] Sudoers e sicurezza

To: talking@ml.linuxvar.it
Subject: Re: [linux_var] Sudoers e sicurezza
From: marcobev <marcobev@gmail.com>
Date: Mon, 04 May 2009 16:41:49 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :user-agent:mime-version:to:subject:references:in-reply-to :content-type; bh=wURQaNMgHDkjOX/rAK5SPh+1SDYRgRN6U3ggdkH1xYo=; b=L1bzKcuh2kUyKuOIX8ZZlhEQ96Wk1nOHjnN9VcNMWbH1yWkkxVQH4BBjEWC8k5wxZ0 FKRxhbs1HpA6LZWbHKyqLFnU169o8puaLK2taJQc1J+MaN4H/l6cqc6d/ziZQGqq3JJB hahKLjhaNuKsS4q7DervgFZBPUe9F6gp7oDHE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :references:in-reply-to:content-type; b=Sp1PIEICuD/AnKORJktqqqgf9OMquFuouz9EmvluMnpAGiY4w24eEG/d5qgssutROa G75rNTnQAMRPdODqWWC2uHtSkvYJri3MQIC+io5f+oKKM26mS6IirtKGhIUNBi+BUoXf q1YWy/yxpZi05Nm6aDHyX5oCIH4guWFrPWrLE=
In-reply-to: <917FCCCD-9B0A-46F7-BA11-9DDFF4646006@luckyluke.org>
List-archive: <http://ml.linuxvar.it/wws/arc/talking>
List-help: <mailto:sympa@ml.linuxvar.it?subject=help>
List-id: <talking.ml.linuxvar.it>
List-owner: <mailto:talking-request@ml.linuxvar.it>
List-post: <mailto:talking@ml.linuxvar.it>
List-subscribe: <mailto:sympa@ml.linuxvar.it?subject=subscribe%20talking>
List-unsubscribe: <mailto:sympa@ml.linuxvar.it?subject=unsubscribe%20talking>
References: <200905041519.16928.luigi.b@alice.it> <917FCCCD-9B0A-46F7-BA11-9DDFF4646006@luckyluke.org>
Reply-to: talking@ml.linuxvar.it
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Luca Lesinigo ha scritto:

Il giorno 04/mag/09, alle ore 15:19, Wolf L.A.B. ha scritto:

Con mio grande sgomento ho scoperto una falla nella sicurezza dei miei due sistemi grande come una montagna!
Digitando "sudo su" diventavo root senza che mi venisse chiesta la password!

Non è che avevi usato da poco sudo e quindi aveva ancora per buona la tua password utente immessa in precedenza?

googolando un pochino:
http://www.gratisoft.us/sudo/man/sudoers.html#nopasswd_and_passwd

By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example:

 ray    rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without authenticating himself. If we only want ray to be able to run /bin/kill without a password the entry would be:

 ray    rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm

Note, however, that the PASSWD tag has no effect on users who are in the group specified by the exemptgroup option.

By default, if the NOPASSWD tag is applied to any of the entries for a user on the current host, he or she will be able to run sudo -l without a password. Additionally, a user may only run sudo -v without a password if the NOPASSWD tag is present for all a user's entries that pertain to the current host. This behavior may be overridden via the verifypw and listpw options.

-- 
                                           __
Marco Bevacqua aka MoBius             |   /\ \   Linux User #277442         
I have a dream of a mega OS with the  |  / /\ \   
logo of a penguin sitting on a window | / /__\ \  Möbius is always 
sill eating an apple.                 | \/____\/  on the right side ;)

References:
- [linux_var] Sudoers e sicurezza
  - From: "Wolf L.A.B." <luigi.b@alice.it>
- Re: [linux_var] Sudoers e sicurezza
  - From: Luca Lesinigo <lucky@luckyluke.org>

Prev by Date: Re: [linux_var] Sudoers e sicurezza
Next by Date: Re: [linux_var] Sudoers e sicurezza
Previous by thread: Re: [linux_var] Sudoers e sicurezza
Next by thread: Re: [linux_var] Sudoers e sicurezza
Index(es):
- Date
- Thread