[sudo-users] Sudo with PEP (Privilege Extension Prevention)
Christopher Racky
christopher.racky at web.de
Sun Jan 5 05:25:32 MST 2014
Hallo Todd,
Thanks for your feedback and email.
The SHA-2 digest is a good concept, but in larger setups (as ours) it
is -to be honest- very unrealistic.
For example: We use sudo with LDAP backend on a set of very different
Operating Systems, plattforms and Versions (like solaris 9, 10, 11...,
AIX, Red Hat..., Debian, ...).
So it would require that for each plattform and each binary a digest
would be generated which would generate a very complex sudo ruleset and
a lot of processes and organizational activites.
I see the race-condition between time of validation and time of use. On
the other hand you have something similar between retrieval form LDAP
and executing on local system...
So never the less, I'm still convinced, that this "Privilege Extension
Prevention" concept would be very helpfull also in bigger setups and
significantly increases the system security from operation point of
view.
A lot of administrators are quite lazy, and often they forget to set
the correct file permissions, so this functionality would force them to
work more "secure".
Do you think that this functionality can be added in future releases?
Best regards
Chris
-----Ursprüngliche Nachricht-----
Von: Todd C. Miller <Todd.Miller at courtesan.com>
Gesendet: 2013-11-21 23:31:49
An: Christopher Racky <christopher.racky at web.de>
Betreff: Re: [sudo-users] Sudo with PEP (Privilege Extension
Prevention)
It sounds like your main concern is that sudo might run a program
or script that is writable by an unprivileged user, is that correct?
There's currently no way require that commands be writable only by
root or the user the command is being run as, which sounds like
what you want. I think you'd have to disallow group writability
too, as well as writability of the parent directory.
Sudo 1.8.7 and higher allow you to specify a SHA-2 digest for a
command which can prevent a modified program or script from being
run. However, if the directory the command is located in is writable
by unprivileged users, there is a time of check vs. time of use
race condition.
- todd
.
From: "Christopher Racky"
To: sudo-users at sudo.ws
Subject: [sudo-users] Sudo with PEP (Privilege Extension Prevention)
Hello List,
We are using sudo with LDAP for quite a long time.
Currently sudo has no privilege extension prevention, that means, sudo
does not include any protection for permission extension.
One example:
If I have the permission to edit a binary like a script as a "normal us
er"
e.g. vi /usr/local/sbin/makesomething.sh
sudo has no protection that prevents me running this command in another
user context, if the ruleset allows.
e.g. sudo /usr/local/sbin/makesomething.sh
So from my point of view, sudo should prevent me from executing a
command in an other user context if I'm able to write to the executed
file.
Of couse the executed file could join/merge or fork other processes,
but this is -from my opinon- a very basic security functionality which
should prevent some basic mistakes.
Is there any special reason for not having such functionality?
Or is this functionality already available?
Dear list, users and technical architects, what is your opinion about
that?
Best regards
Chris
More information about the sudo-users
mailing list