You've probably seen my rumblings about having a terrible sudoers file (on the order of 7K lines, each (there is more than one...)).
From a systems administration perspective, sudo su - XXX is dumb because sudo was designed to replace su and is defeating the purpose of sudo. Not to mention the Cluster Fuck that the sudoers file becomes when you specify the "command aliases" as a bunch of su rules.
Sudo allows you to run executables as another user, sudo su - foo is literall "change to root, then run su to change to foo" (this takes advantage of a caveat with su that root does not have to know the password of the account they are changing to) whereas sudo -u foo -i means "change to foo".
I've made this point to management on more than one occasion, but as long as they don't see an obvious detriment their opionion is: "Give the users whatever they want, don't bother training them [that sudo -u is the proper way], and if they fuck up their server, you can fix it."
I think if I can show how a malicious user could obtain a root shell they would be much more willing to listen to my pleas for sanity (because I'm the guy who maintains the cluster fuck of a sudoers file(s)).
Anyone got any tricks to break out of a sudo su - foo into a root shell?
The sudo rule is written as:
someuser somehost = (root) /bin/su - foo (where someuser and somehost are actual users and hosts)
[link][20 comments]