asterisk users - Aug 2003 - Can I runAsterisk remotely from telnetsession?

> From: Steven Critchfield [mailto:critch@basesys.com]
> On Fri, 2003-08-15 at 12:42, Adams, Gavin wrote:
> > Another thing I'm doing while soak testing an application (pre
> > /etc/init.d startup script) is to run 'screen' as an
unpriviledged
user,
> > then 'su -' to root (or even better, 'sudo su -')
followed by
starting
> > the application.
> 
> "sudo su -" is kind of a stange thing to do. You would probably
be
> better of doing "sudo bash" as it also will give you a bash
prompt
with
> root login.
Good point on Linux/BSD boxen. My sudo 'training' days came from AIX and
Solaris. :)

--- Gavin

On Mon, 18 Aug 2003, Adams, Gavin wrote:
> > "sudo su -" is kind of a stange thing to do. You would
probably be
> > better of doing "sudo bash" as it also will give you a bash
prompt
> > with root login.
> 
> Good point on Linux/BSD boxen. My sudo 'training' days came from
AIX and
> Solaris. :)
I am missing something as to it being a 'good point'; I
disagree, and consider the first formulation more cautious. --

The reason for the '-' after the su is to clear out a
potentially hostile user environment (path, aliases, and the
like).  A clever malicious user can 'booby-trap', say, 'ls'
and tell an admin that they cannot delete a file.  Admin
wanders over, and runs ls which acts normally, as it notices
root privs are not present.  Admin runs 'sudo su' up to root,
and re-runs 'ls' command which notices the root auth, and adds
a backdoor or three ... game over.

Properly configured, 'sudo' should not have worked from a
non-authorized user's account, but misconfig's happen.  
Indeed, even from a sudo authorized user's account, a person
someimes steps away from console without locking it.

Without clearing the environment and path, an incautious admin
using 'sudo bash' is more likely to lose control of their 
hosts.

-- Russ Herrold