[sudo-users] sudo remove -s and -i option
Paul Cantle
paul at cantle.me
Wed Aug 23 08:37:40 MDT 2017
Hi,
Plenty unless you specify NOEXEC in sudoers – vi, vim, less, awk and probably others.
Examples:
sudo awk 'BEGIN {system("/bin/sh")}' – will give a root shell
sudo vim <esc> :sh – will give a root shell
if people need to be able to edit files as root sudoedit or sudo –e is a safer option.
I cannot stress enough that this isn’t the way to go – Really, you should just limit the commands that people need to execute as root and not mess with the sudo program itself.
Just my 2c
Rgds
Paul
On 23/08/2017, 15:32, "sudo-users on behalf of Goodman Leung" <sudo-users-bounces at sudo.ws on behalf of gbcbooksmj at gmail.com> wrote:
here is the output when my user execute sudo /bin/bash
user1 at kickseed:~$ sudo /bin/bash
Traceback (most recent call last):
File "<string>", line 92, in <module>
File "<string>", line 33, in check_element
IndexError: list index out of range
i thing they get the same result when they use /bin/sh instead .
do you know any aother command can get a root shell ?
在 2017/8/23 16:38, Maarten de Vries 写道:
>
>
> On 23 Aug 2017 4:15 a.m., "Goodman Leung" <gbcbooksmj at gmail.com
> <mailto:gbcbooksmj at gmail.com>> wrote:
>
> well , before i m doing this, i have another solutions , i write
> a security binary to replace /usr/bin/sudo ,
>
> you are not able to execute sudo -s , sudo -i , sudo su , and even
> sudo /bin/bash.
>
>
> would you guys wanna try ?
>
> i just think it is not perfect enough.
>
>
> I think it is a really bad idea. If jou want to prevent users
> executing arbitrary commands jou MUST whitelist exactly the commands
> that they should be able to use.
>
> Blocking only shells is almost completely pointless because users can
> still execute *every* other command from their own shell prefixed with
> sudo. The only thing you would win is that every sudo invocation is
> logged. But if they want they can destroy all logs on the local system.
>
> Also, shells and editors are far from the only tools that allow you to
> bypass sudo logging. Every script interpreter (python/ruby/perl/etc)
> can do the same. And then there are many more interactive tools that
> allow users to run arbitrary commands.
>
> And if you did blacklist *everything* (which is impossible), then
> users can just copy a blacklisted binary to their home folder with a
> different name so it is not blacklisted anymore.
>
> In short: if you want to allow users to run arbitrary commands as
> root, but not shells, you're pretty much out of luck. If you want to
> allow them to do some specific things as root, whitelist exactly
> those. Either way, writing your own sudo is not the solution.
>
> -- Maarten
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list