[sudo-users] Re: [sudo-workers] NOEXEC: /usr/bin/vi using ldap
Jacob Pszonowsky
jdp16 at mac.com
Wed Jul 7 20:47:36 EDT 2004
Aaron -
Thanks for the tips. I'll try these various combinations now.
Working on these I've noticed a couple of things:
1. Sudoedit (when not specifically denied or allowed) allows
2. Sudoedit doesn't follow any of the deny rules (always allows editing
of a file - even if denied)
3. This doesn't work trying First entry and Second Entry - it allows
editing of all files:
> User jacobp may run the following commands on this host:
> LDAP Role: ldap_admin
> Commands:
> !/usr/bin/vi
> !/usr/bin/less
> !/usr/sbin/ldapclient
> !/bin/sh
> !/bin/bash
> !/bin/ksh
> !/bin/tcsh
> !/grid/common/bin/bash
> !/grid/common/bin/tcsh
> !/usr/ngnu/bin/bash
> !/usr/ngnu/bin/tcsh
> All
>
> LDAP Role: vi
> Commands:
> !/usr/bin/vi /etc/passwd
> /usr/bin/vi
I'll continue to try different combinations and let you know how it
goes.
Thanks,
Jake
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
On Jul 7, 2004, at 4:59 PM, Aaron Spangler wrote:
> Jacob,
>
> Try
>
> # First entry
> sudoUser: ......
> sudoHost: .....
> description: Allow all commands except vi
> sudoCommand: ALL
> sudoCommand: !/usr/bin/vi
>
> # entry two
> sudoUser: <same as above>
> sudoHost: <same as above>
> description: Allow vi to modify most files but no subshells
> sudoOption: noexec
> sudoCommand: /usr/bin/vi
> sudoCommand: !/usr/bin/vi /etc/passwd
>
> or better yet, this combines all into one role
>
> # better example
> sudoUser: <same as above>
> sudoHost: <same as above>
> description: allow most commands except vi, allow safe editing except
> /etc/passwd
> sudoCommand: ALL
> sudoCommand: !/usr/bin/vi
> sudoCommand: sudoedit
> sudoCommand: !sudoedit /etc/passwd
>
> Since above prevents vi and requires the user to use 'sudoedit'
> instead to modify files, then vi runs as the normal user, so even if
> they subshelled, they would not gain additional privileges.
> The only trick is that since you have taught your users to use sudo
> before commands, ask them to use 'sudoedit' to modify files.
>
> On a different matter, make sure you notify your users they are not
> supposed to modify /etc/passwd because they could always do the
> following because the ! statements really do not protect the clever
> person. Example:
>
> ln -s /etc/passwd /tmp/myfile
> ln -s /usr/bin/vi /tmp/myedit
> sudo /tmp/myedit /tmp/myfile
>
> As a side note, for some reason the example above does not currently
> allow sudoedit. I will findout why and get back to you.
>
> -Aaron
>
> Jacob Pszonowsky wrote:
>
>> Question: Does the NOEXEC: /usr/bin/vi syntax work with ldap? Also,
>> is it possible to use this in conjuction with:
>>
>> sudoCommand: !/usr/bin/vi /etc/passwd
>> sudoCommand: NOEXEC: /usr/bin/vi
>> sudoCommand: ALL
>>
>> such that
>> "/usr/bin/vi /etc/passwd" is NOT allowed,
>> executing a shell from vi is NOT allowed,
>> all other commands are allowed
>>
>> It doesn't seem to work, but I could have the syntax wrong.
>>
>> Thanks,
>> Jake
>>
>> Jacob Pszonowsky
>>
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918
>>
>> ____________________________________________________________
>> sudo-workers mailing list <sudo-workers at gratisoft.us>
>> For list information, options, or to unsubscribe, visit:
>> http://www.gratisoft.us/mailman/listinfo/sudo-workers
>
>
Jacob Pszonowsky
jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918
More information about the sudo-users
mailing list