for everyone whose sick of sudo read this
Steve Feehan
sfeehan at sbb.uvm.edu
Wed Jun 29 23:16:37 UTC 2005
On Wed, Jun 29, 2005 at 07:07:18PM -0400, Stephen R Laniel wrote:
> On Wed, Jun 29, 2005 at 07:00:54PM -0400, Steve Feehan wrote:
> > You could make the file immutable, which it appears not to be:
> >
> > $ sudo lsattr /etc/sudoers
> > ----------------- /etc/sudoers
>
> Newbie-level question, I'd guess: what is lsattr listing
> that ls alone is not?
You can read about the various attributes in chattr(1).
> Is there an ext{2,3} attribute called 'immutability' that goes
> above and beyond the rwx permissions?
Yep, see above.
> Presumably one can make a file mutable again, right? So
> would this add much security to /etc/sudoers?
Yeah, you could do:
sudo chattr -i /etc/sudoers
You can't prevent the user from circumventing visudo. But you can
gently remind them that they shouldn't edit the file directly. Why
would someone prefer to jump through hoops to edit the file directly
when they could just type 'visudo'?
> Maybe sudo is supposed to be portable, so they insist on
> abstracting above the details of filesystems. Maybe?
Probably. Which is why I suggested patching the Ubuntu package
to support the immutable attribute if the file is on an ext
file systems. Should be a trivial patch.
--
Steve Feehan
More information about the ubuntu-users
mailing list