[sudo-users] Restricting / Limiting permission/ownership of targetted binaries?
A. James Lewis
james at fsck.co.uk
Mon Apr 26 07:25:38 MDT 2021
Hi,
I've been trying to figure out if there's a way to cause sudo to
validate that a particular binary has "secure permissions", before
allowing it to run, in the same way that sshd will not use an
"authorized_keys" file if it has insecure permissions.
If sudoers grants a user permission to run a particular binary as
"root", for example... I want to be able to ensure that that binary is
owned by "root", and that it is not writeable by a non-root user...
otherwise this could represent a security risk.
I realise that under normal circumstances things that can run with sudo
are usually system tools, and this would not be a problem, but all too
often sudo is called upon to do something a little more suspect, and I
have to deal with situations where there is a chance that files referred
to by sudo could end up with unacceptable permissions or ownership, and
it would be really nice if sudo could be configured to check.
Any advice/suggestions etc. would be appreciated... The last time I
mentioned something here, the answer was "ahh, the next version of sudo
can do that"... so, here's hoping for another miracle.
Thanks.
--
*ค. ﻝค๓єร ɭєฬเร* (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the sudo-users
mailing list