[sudo-users] sudo question
Huibert.Kivits at mail.ing.nl
Huibert.Kivits at mail.ing.nl
Tue Jan 3 09:52:08 EST 2006
Hi Jared,
Not sure this will help you. Just a few suggestions. These should work if you authorize sudo via LDAP. Otherwise, you may need to change a few things.
- It is a bad idea to give someone sudo rights for "vi". Unless you're running an OS that allows for the "noexec" option, like Solaris. That's because otherwise, "vi" will allow for shell escapes. On other environments, one should only allow for "sudoedit" or "sudo -e".
- A chroot jail environment shouldn't be necessary, as it is possible to limit authorizations by making the allowed sudo commands more explicit.
So instead of authorizing "sudo /usr/bin/chown", you should authorize: "sudo /usr/bin/chown root <name of directory>/*"
Instead of "vi", unless you're running an OS that allows for the "noexec" option, you could authorize as follows:
"sudoedit <name of directory>/*"
I would recommend that you perform some auditing on the directory concerned. It doesn't require great hacking skills to place a root kit in this directory, with the authorizations you are going to provide. In particular, you should be alert for setuid root files.
Another recommendation is that you would test if the "noexec" option really works on your systems.
Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
Huibert Kivits
OPS&ITB/WPS/UAS/MSO UNIX
Locatiecode NA 00.92
T (020) 563 72 77, F (020) 563 70 02
E Huibert.Kivits at mail.ing.nl
"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4
-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Jared Greenwald
Verzonden: dinsdag 3 januari 2006 2:21
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] sudo question
I have a general question about sudo and/or sysadmin (I'm sure they overlap more often than not)...
I need to give root access to a bunch of people on a particular directory. They need to have the files owned by root for testing purposes, but they also need to be able to run make and vi on them.
Is there a way to create a chroot jail sort of setup with sudo to accomplish this?
Thanks,
Jared
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------
More information about the sudo-users
mailing list