[PLUG] Sudo Access to application accounts...Some thoughtsplease??
Tim
tim-pdxlug at sentinelchicken.org
Thu Feb 7 00:10:24 UTC 2008
On Wed, Feb 06, 2008 at 05:57:12PM -0600, Robert Citek wrote:
> On Feb 6, 2008 5:48 PM, Matt Rae <mattrae at gmail.com> wrote:
> > if sudoers looks like this:
> > droberts SCDMAPPSERVERS=/bin/su - A-APP, /bin/su - B-APP
> >
> > then the command droberts would type to become A-APP would be:
> > "sudo su - A-APP"
> >
> > if sudoers looked like this:
> > droberts SCDMAPPSERVERS=(A-APP, B-APP) ALL
> >
> > then the command would be something like:
> > "sudo -u A-APP -i"
> >
> > I'm not really sure which way is better.. Maybe someone comment.
>
> I find the second format cleaner. They seem functionally equivalent.
Are they?
Seems to me that the former approach may be ripe for abuse if not
carefully configured and tested. Finding a way to slip a stray
parameter to su could lead to privilege escalation. I'm not up to speed
on how sudo handles various special characters when comparing commands
against the configuration, so couldn't tell you how one would go about
attacking it, but it just smells funny to me. I'd definitely shoot for
the latter approach.
HTH,
tim
More information about the PLUG
mailing list