You are right if the commands you are given root access to give you a shell
out, but sudo can be configured. For example the following commands could
be given root access
"/usr/atria/bin/cleartool protectvob"
"sh /etc/rc2.d/S77atria"
With sudo you are not just limited to the command that can be used, but also
the options that follow it. The two commands above offer no shell out. I
admit that it is difficult to define a set of commands that offer no exit
(and let's face it you would be a fool not to try and sneak one through your
Unix Admin) but sudo is a satisfactory compromise solution. And when the
directory disappears or the system reboots, you will have the perfect alibi.
Roy Chapman
External Consultant
Robert Bosch GmbH * (00 49) 0711/811-31795 / GSM (00 49)
0173/4887139
K5/ESQ * (00 49) 0711/811-31800
Postfach 20 02 40 * mailto:roy.chapman@de.bosch.com
D-70442 Stuttgart
> ----------
> Von: Scott Mackillip[SMTP:mmackill@aud.alcatel.com
> Gesendet: Freitag, 28. Januar 2000 15:21
> An: EXTERN Chapman Roy (WA-Consultants; K5/ESQ1); ClearCase User Group
> Betreff: Re: AW: [cciug] vobadm vs root
>
> My only question now is: once you give me sudo to cleartool, can't I run a
> shell-out from the cleartool and have a shell running as root?
>
> does that not defeat the whole idea of sudo?
>
> If this is the case, and there really is a limited number of UNIX commands
> for
> troubleshooting clearcase as root, what is that limited number of
> commands?
>
> I apologize if I'm belaboring the point, but I feel that a strong
> relationship
> between the Sys Admin team and the ClearCase Admin team is necessary for a
> cohesive and cooperative work environment. I don't want to have to run to
> the
> Sys Admin each time I need to troubelshoot a user's problem, or restart
> clearcase. In short, I don't want to pester the Sys Admins to the point
> that
> they roll their eyes and inwardly (or outwardly!) groan each time they see
> me.
>
> Regards,
>
> Scott
>
> "EXTERN Chapman Roy (WA-Consultants; K5/ESQ1)" wrote:
>
> > I disagree, it is not pointless trying to restrict root. Suggest you
> work
> > for a Bank and express that opinion.
> >
> > I do agree with you though that a small number of Unix commands could be
> > used to hack the system. But, if we are sensible about this, we don't
> need
> > these command as a Clearcase Administrator. I would suggest that sudo
> > access to cleartool and "sh /etc/rc2.d/S77atria" would suffice. Yes, I
> am
> > sure that additional commands are required on a daily basis, but that's
> what
> > we have Unix Administrators for. A root shell is a dangerous weapon, I
> > doubt that there is a user on this list who has been given root access
> in
> > the past and not accidentally rebooted a system or removed something
> they
> > shouldn't of. And if you haven't, give it time. Sudo makes access to
> root
> > commands a pain, in the same way that keeping a loaded weapon in a safe
> > makes access more difficult.
> >
> > Roy Chapman
> > External Consultant
> >
> > Robert Bosch GmbH * (00 49) 0711/811-31795 / GSM (00 49)
> > 0173/4887139
> > K5/ESQ * (00 49) 0711/811-31800
> > Postfach 20 02 40 * mailto:roy.chapman@de.bosch.com
> > D-70442 Stuttgart
> >
> > > ----------
> > > Von: Christian Goetze[SMTP:cg@digisle.net
> > > Gesendet: Donnerstag, 27. Januar 2000 20:12
> > > An: Scott Mackillip
> > > Cc: ClearCase User Group
> > > Betreff: Re: [cciug] vobadm vs root
> > >
> > >
> > > I think restricting sudo is silly - since it is trivial to bypass any
> > > restrictions if sudo is to have any use at all (e.g. one of the most
> > > common commands I run as sudo is chmod, and once you give me
> chmod...).
> > >
> > > Since root exploits for clearcase machines are available and well
> known
> > > among crackers, it is pointless to attempt to protect root. What you
> > > should do instead is to reduce the risk of accidental or trivial
> errors,
> > > and in addition gain the benefit of logging and the use of your own
> > > password. That's what sudo is really good for...
> > >
> > > If you are in a sensitive environment, you need to set up different
> > > security procedures that take the vulnerability of Clearcase machines
> into
> > > account. I use the following policy:
> > >
> > > Sensitive machines treat ClearCase machines like external Machines
> (no
> > > trust).
> > >
> > > ClearCase machines trust all internal machines (no hassles with
> > > distributed builds etc)
> > >
> > > Nobody trusts external machines (duh).
> > >
> > > ClearCase machines should be used exclusivly for development and
> > > testing on non-sensitive data sets. Consider that anyone who obtains
> > > a normal login on a Clearcase machine already has the "loot" (i.e.
> > > your source code). Protecting root in addition to that adds nothing.
> > >
> > > Special attention should be given to the possibility of Trojan
> horses
> > > being migrated from the relativly insecure development network into
> > > the secure production network. Use code review and checksums...
> > >
> > > --
> > > cg
> > >
> > >
> > > On Thu, 27 Jan 2000, Scott Mackillip wrote:
> > >
> > > >
> > > > All,
> > > >
> > > > I have been following the conversation closely, as I don't have root
> > > > access at my current site. I am in the process of putting together a
> > > > proposal for sudo access for the commands that will be needed, and
> have
> > > > a couple of questions for you all.
> > > >
> > > > Does anyone have a list of the commands that would require root
> access?
> > > > (I can generate the list, but if someone has that already done, why
> > > > re-invent the wheel?)
> > > >
> > > > Is it easier to just ask for sudo for cleartool, and then shell out
> to
> > > > accomplish the required task as root? Will sudo log this behavior so
> the
> > > > system administrators have a log/trail should something go awry?
> > > >
> > > > Or would it be better to just ask for sudo for the commands needed
> one
> > > > at a time?
> > > >
> > > > What about troubleshooting a user's view? How do you go about
> getting
> > > > access to su to another user without knowing their password?
> > > >
> > > > Thanks for any help in this!
> > > >
> > > > Regards,
> > > >
> > > > Scott MacKillip
> > > >
> > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > > >
> > > > can also
> unsubscribe
> > > >
> > > > http://clearcase.rational.com/cciug/mailing_list.html
> > > >
> > >
> > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > >
> > > can also
> unsubscribe
> > >
> > > http://clearcase.rational.com/cciug/mailing_list.html
> > >
>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This archive was generated by hypermail 2b29 : Sun May 06 2001 - 00:22:41 EDT