sudo and rksh

Scott MacKay smackay at pixel.kodak.com
Tue Apr 17 14:17:26 EDT 2001 

[long winded, hopefully not off the point, forgive me :) ]

> > This is the
> > inherent problem with 'command denial' based rules instead of 'command
> > allow' based rules.
> 
> This is a command allow, for rksh, chown, chmod, cat, less, vim and grep?
Well, I was more speaking of the policy of 'allowing activity because it
is not denied' verses 'allowing activity because it is explicitly
allowed'.
Case in point:

# Policy: allow because it is not denied
Cmnd_Alias  SHELLS=/bin/sh,/bin/csh
ADMINS  ALL=ALL,!SHELLS
# end policy

The above allows you to run 'su' because it is not denied.  It disallows
you to run /bin/sh because it is explicitly denied.  The problem:  What
is to keep an admin from 'cp /bin/csh /tmp/myshell' and SUDOing
/tmp/myshell?

This is verses 'allow because it is explicitly allowed':
# Policy: allow because it is explicitly allowed
Cmnd_Aliase VOLMGT=/etc/init.d/volmgt start,/etc/init.d/volmgt stop
ADMINS ALL=VOLMGT
# End policy

By explicitly allowing activities, there is finer control.  Unless they
can corrupt a target file (like the above /etc/init.d/volmgt), then
cannot do anything more than what you allow (thus you can log what they
do).  I believe most firewalls go by the saying "that which is not
explicitly allowed is denied", which fits this view.


> 
> > You need to either determine which commands they are allowed to use (and
> > set up rules to only allow those) or have a serious talk and get them to
> > always use SUDO, possibly through management coersion.
> 
> They don't use su, ever. They probably don't remember the password.
> The problem is they use sudo excessively as a root shell to do things
> they could do as normal users.
If this is done just because they are lazy (doing a sudo csh instead of
3 or 4 sudo CMD), maybe you should just nudge them first.  Remove all
shells, 'su' (kinda the ALL,!SHELLS,!SU thing), and maybe even activate
the sudo banner to remind them to use SUDO properly to start.  Yes, they
can '!' out of alot of commands, but if you are not worried about them
secretly corrupting something and just want to track activities
better/break them of the habit of '/sudo /bin/sh', this is probably a
good neutral first step.  It is a bit of a nudge for them to see how
they should be using SUDO.  If they then go and instead fork out of apps
to get a root command line (you could probably write a cron to 'ps' and
grep on root using a shell), well then maybe you need to restrict more
as that is a bit more 'covering what I do' vs 'not wanting the hassle of
3 "sudo" commands vs 1 nice "sudo /bin/csh"'


> 
> Management coersion is hardly needed. If they mess something up, I can
> always tell them to fix it up themselves :-), but I'd prefer we achieved
> a more stable system with some little work on their bad habits.

Hehe, it is always the way.

-- 
-----
"This posting reflects the views of the poster and does not reflect the
views of the company."

More information about the sudo-users mailing list