Path: ...!weretis.net!feeder9.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.omega.home.tnetconsulting.net!not-for-mail
From: Grant Taylor <gtaylor@tnetconsulting.net>
Newsgroups: comp.os.linux.misc
Subject: Re: Yet Another New systemd Feature
Date: Mon, 6 May 2024 19:11:01 -0500
Organization: TNet Consulting
Message-ID: <v1bril$1bh$1@tncsrv09.home.tnetconsulting.net>
References: <v1941f$24d4m$1@dont-email.me> <v1a0j2$2eb40$1@dont-email.me>
 <l9ris7F74e0U1@mid.individual.net> <v1ac52$2gs3r$2@dont-email.me>
 <l9so4sFbj9uU2@mid.individual.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 7 May 2024 00:11:01 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="omega.home.tnetconsulting.net:198.18.1.140";
	logging-data="1393"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <l9so4sFbj9uU2@mid.individual.net>
Bytes: 2007
Lines: 25

On 5/6/24 14:08, Andy Burns wrote:
> AFAIR, /usr/bin/sudo is a 'sticky' binary owned by root, so it 
> immediately gets root access, better hope nobody finds a way to abuse 
> that before it's decided whether or not to let you do what you asked it.

You are correct.

Thankfully we have 30+ years of sudo history and people trying to do 
exactly that and others defending against that very thing.

> I've encountered plenty, not so well controlled, where all it takes is 
> "sudo su -"

That's why I would tend to allow non-SA teams to have sudo with a 
specific command (possibly without needing to re-enter their password) 
while only allowing the Unix SAs to have `sudo su` et al. access.

Sudo is, or very much so should be, an explicitly allow known good and 
block everything else by default.

Negation never works as one might hope when it comes to security.



-- 
Grant. . . .