I could walk around sudo!!!

mackay at kodak.com mackay at kodak.com
Thu Feb 15 14:37:10 EST 2001 

From: Scott D. MacKay

Yes.  You really need to specify all the commands and watch for loopholes
(like shell escape out of vi) to use SUDO in this fashion.
If people are developing drivers, writing apps which need to become root,
etc, then neither this nor most any other root-enable app will help you,
unfortunantly.
If you need to track items like this, the best you can do using this app
is:
1) configure syslog for remote logging.  This at least will indicate who
invoked SUDO, up to the point where they compromise SUDO or syslog (and may
send fake messages to make it look like someone else did stuff after them).
2) Enable a BSM (Solaris, Basic Security Module) like product.  You can
configure this to log stuff like SETUID apps, etc.

No matter what, if they get free reign, eventually every security app is
rendered useless.

With your potential granular needs while providing very wide allowances,
you may want to look at Power Broker
at http://www.symark.com/pbroker3.htm.  I have not used it before, but say
some of their literature.

-Scott





"Henry Leung" <hleung at osft.com> on 02/15/2001 12:23:02 PM

To:   mackay at kodak.com, sudo-users at courtesan.com
cc:    (bcc: Scott D. MacKay/943904/EKC)
Subject:  RE: I could walk around sudo!!!





Thank you for your reply.

The case in my company is that we are doing system level software
programming. The programmer and QA need to be root to do some test, but
some
programmers still like to play around on the system, and leave the garbage
into the system. I want give the root privilige, but I still want to block
some thing or keep track of the command they are using.

It's seems that I have to configure all the command or directory that allow
those programmer to do. Is that right?

Thanks goes to:
"Todd C. Miller" <Todd.Miller at courtesan.com>
Alek O. Komarnitsky (N-CSC) [mailto:alek at ast.lmco.com]
Nathan Dietsch [mailto:nathandi at access.com.au]
Saxon, Lamar [mailto:Lamar.Saxon at americredit.com]
mackay at kodak.com [mailto:mackay at kodak.com]


-----Original Message-----
From: mackay at kodak.com [mailto:mackay at kodak.com]
Sent: Thursday, February 15, 2001 9:19 AM
To: Henry Leung
Subject: Re: I could walk around sudo!!!




From: Scott D. MacKay

Wow, if this were on slashdot I am sure this would receive a troll flag....
As many people have said, you really need to read the docs more.  If you
still want to avoid that, think of the tool another way than you currently
are.

SUDO should be treated as a 'allowance by rule definition' rather than a
'disallowance by rule definition'.  This means that you should configure
SUDO to specifically allow well defined commands rather than say "allow
everything BUT xyz'.  Really, there are not that many commands where a
person NEEDS to be root to perform system administration.  For those cases,
the definitions in the sudoers file should call out the explicit commands.
If you give a person full root access, there is nothing to keep them from
editing the password file, creating a chmod +s shell, etc etc.
When would you use the 'ALL' option?  There are good cases, but in every
one the targeted individuals are people that are completely trusted.
For me, I use the 'ALL' option for myself so I do not need to send the root
password across the wire when telneted into another machine (plus I have it
configured for SecurID authentication so my password is useless to would-be
hackers too)...

Scott MacKay





"Henry Leung" <hleung at osft.com> on 02/13/2001 05:11:27 PM

To:   sudo-users at courtesan.com
cc:    (bcc: Scott D. MacKay/943904/EKC)
Subject:  I could walk around sudo!!!





I am just installed sudo in my system. and played around with it. I just
feel that sudo can not protect anything. Here is am example:

1) no protection for Log file : I can easily delete the enties in
/var/log/sudolog by " sudo vi /var/log/sudo" or "sudo rm /var/log/sudo".

2) Can not block certain command :

even su is blocked by the sudoers:
-----------------------------------------
Cmnd_Alias      TEST=/usr/bin/su

# User privilege specification
root    ALL=(ALL) ALL
%sunteam ALL=(ALL) ALL,!TEST
----------------------------------------

I still can su to others by creating a simple script. here it is:
-----------------------------------------------------------------------
$ more sudotest
#!/bin/sh
/usr/bin/su $1
-----------------------------------------------------------------------

Same script can be used to do any thing!!!

How can you block this?

I looking forward to your response!

Best Regards

Henry Leung

System Administrator, Opensoft Consulting Group Inc.
Tel : (416) 260-2656 ext.255
Suite 201, 322 King Street West. Toronto,ON, Canada M5V 1J2

More information about the sudo-users mailing list