Constrained sudo is no substitute for proper security. If I was in charge of a database where personal details or credit card or financial information could be compromised I would not rely on constrained sudo.
The reason is that no matter how smart you think you are, some smarty pants always finds a way to abuse the root privileges they have been granted, possibly by exploiting a design flaw in the program they've been allowed to run as root.
For example, I am pretty sure that psql can be used to write files with arbitrary content (use your imagination with \copy ... or \echo ...). I am pretty sure that as root you could overwrite /usr/bin/psql with another file of the same name that actually execs /bin/bash if invoked with a suitable command line option, but otherwise behaves just like /usr/bin/psql ...
If you don't believe me try this:
sudo psql <whatever ...>
dbname=>\pset tuples_only
dbname=>\o |/bin/bash
dbname=>select 'id';
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
There are many more sophisticated examples. The only solution is not to grant sudo to anyone you wouldn't grant root to.
Cheers,
Robin
On Wed, 2012-03-14 at 12:24 -0400, Kris Deugau wrote:
Scott Ribe wrote:
> On Mar 14, 2012, at 9:01 AM, David Ondrejik wrote:
>
>> In Linux you can setup and use the "sudo" option. For those whom you don't wish to have root access, simply make them sudousers, then change the root password. This will force those users to simply type "sudo" (w/o quotes) at the beginning of each command they want to run (i.e. sudo psql db_name "insert into....").
>
> Sure, you mean like this command:
>
> sudo su root
If properly (mis)configured.
On the other hand, you can provide very limited root access on a
command-by-command and user-by-user basis with more complex sudo
configurations, and while the first request will ask for a password,
further requests within the configured authorization timeout will still
be logged even if the user isn't asked for their password.
-kgd