Problems with Sudo

Jeffrey F. Bloss jbloss at tampabay.rr.com
Fri Mar 16 03:03:57 UTC 2007


Arthur H. Johnson II wrote:

> The alternate SSH server is actually this special one:
> 
> http://chrootssh.sf.net
 
> At any rate, nobody has really answered my question, instead they want
> me to change my personal security policy.  Thats fine, I just want to

Your question might have been a little easier to answer had you
provided this vital bit of information. :(

Apparently it's your personal security policy that's in the way. You're
jailing everyone, then selectively trying to break out and become the
warden. While you may be able to masquerade as another inmate because
SSH is generally allowed, all limitations should still apply including
no privilege escalation via sudo because you've never actually "left the
building" (for lack of a better analogy).

I think if you consider things carefully you'll have to agree that
allowing someone to break out of a chroot jail by simply logging back
in, even "looping" in as another user, is horribly insecure and a direct
contradiction to the goal of disallowing unwanted/privileged access via
SSH.

Chroot jails are a dandy idea for "guests", I wouldn't change that, but
I think you need to bite the bullet and allow plain vanilla SSH by an
unprivileged user then invoke su or sudo as necessary from there
rather than trying to end run chroot. The suggestions that have been
offered with respect to access control will leave things more than
secure enough, at least as secure as any system allowing any outside
access at all, and certainly more secure than any system that allowed
you to do things the way you're trying to do them now.

Or... you could always get use to the fact that you need to log in
locally for administrative purposes. ;)

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
                    http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070315/555c9e5d/attachment.pgp>


More information about the ubuntu-users mailing list