From: Michael T Pins (mtpinsnndev.org)
Date: Fri Sep 22 2006 - 15:15:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Kuriger writes:

>sodo provides logging, and commands suck as /bin/sh etc can be put into
>a group in /etc/sudoers and forbidden. then add users to the wheel
>group who need sudo access. of course there are ways around the
>forbidden things. you can be specific with which commands they can run
>so that they don't write shell scripts and run them with sudo to bypass
>the forbidden binaries.

>Cmnd_Alias SHELLS = /sbin/sh,\
> /bin/sh,/bin/csh,/bin/tcsh,/bin/ksh,\
>
>/usr/bin/sh,/usr/bin/csh,/usr/bin/tcsh,/usr/bin/ksh

>Cmnd_Alias FORBIDDEN = /bin/passwd root,/bin/su,/sbin/su

>%wheel ALL = (ALL) ALL,!SHELLS,!FORBIDDEN

Doesn't help. If you allow the user to sudo any program that allows them
to shell out (i.e. vi, more) they can get a root shell.

If you need to stop people with sudo access from getting a root shell
you need to have only allow lists, not deny lists. And, obviously, you
need to be very careful about what programs you allow them.

I did once hack up both vi and more so users couldn't shell out, but
unfortunately that code is long gone.

--
Michael T Pins | "It is not knowable how long that conflict
mtpinsnndev.org | (Iraq) would last. It could last, you know,
keeper of the nn sources | six days, six weeks. I doubt six months."
ftp://ftp.nndev.org/pub | - Donald Rumsfeld, Feb 7, 2003

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]