Re: VI wrapper for SUDO? - aliases

Fri, 30 Nov 2001 14:52:00 -0800 


hi joshua...

/etc/aliases... what can we do with it...

i dont know if this was bill's original intent or not

but lets see what can (regular) people do with /etc/aliases

/etc/aliases
        badthing:       mail -s "send me the passwd"  [EMAIL PROTECTED] \
                        < /etc/passwd

but since the persons allowed to edit the /etc/aliases file is internal
anyway .. dont think we have to worry about that kind of stuff

if the company is 500 people with people leaving and coming onboard
and if there are jr admins... let them add/delete the people
from "all" or "sales" or "engineering" or "managers" etc...
        - in this case ..the sudo wrapper/editor script is good

        and the script can also propagate the /etc/aliases file to
        each machine that needs to have the aliases file kept current

        root@Slaves # sucpaliases -scp
                where it does ( and only if its out-of-date )
                " scp MasterCopy:/etc/aliases /etc ; newaliases "

the wrapper script can also do the difff and/or run newaliases
depending on your level of paranoia of the ones allowed to run
this "sudo alias script"
        - nothing happens till *you* run new aliases...which i would
        do myself if i was responsible... but id do a diff between
        the new one and the previously tested/good version

have fun linuxing
alvin


On Fri, 30 Nov 2001, Joshua Goodall wrote:

> That is a fair point but addressable with post-editing checks
> in the wrapper. Of course, one is exceedingly vulnerable to
> race conditions if one is not very careful about what is read and
> when.
> 
> You don't have to use vi; there are dumber editors in the world.
> 
> Maybe you should just have some programmatic (i.e. commandline,
> not full-screen) editing program for aliases that's callable from sudo.
> 
> However the whole idea fills me with worry; /etc/aliases IS quite a critical
> file and I'm certain that specific attacks could be engineered
> against you if write access was obtained.
> 
> Why not just have users make their changes and mail a diff to
> the sysadmin for approval :)
> 
> J
> 
> p.s. failing that, investigate LIDS; but that's a different ball game.
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

























					Reply via email to