[mdlug] /etc/sudoers -A rant and an attempt at better documentation
Carl T. Miller
millerc at cantonpl.org
Sun Jan 7 10:18:18 EST 2007
Daniel Hedlund wrote:
> Raymond McLaughlin wrote:
>> # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
>
> The above is not your fault at all because it's part of the default
> config that also appears in my sudoers, but just a word of warning. I'm
> pretty sure that the above command has some potential security problems
> (I'll relay this on to their dev team). The above command should
> probably read, at a minimum:
> %users ALL=/sbin/mount -t iso9660 /cdrom,/sbin/umount /cdrom
> CDs that are inserted into a computer don't have to follow the ISO-9660
> format,can also be created by burning a variety of different file
> formats onto the beginning of the disc, UDF being another good example.
Notice that the original line will not let someone run "sudo
mount -t ext2 /cdrom". It will only allow "sudo mount /cdrom".
I would worry if it was like this:
%users ALL=/sbin/mount * /cdrom, /sbin/umount /cdrom
Daniel, you make a good point in that the entry for the cdrom
drive in /etc/fstab should be set to iso9660 and not to auto.
c
More information about the mdlug
mailing list