Is my implementation/understanding of SUDO flawed?
Jeff Kennedy
jlkennedy at amcc.com
Mon Feb 25 16:43:10 EST 2002
> I may be asking a lot but sudo already caters, as you say, for overriding
> one's initial PATH and, without looking too closely at the ramifications, I
> can see no big reason to think that if sudo meets a *top level* script with
> 777 permissions then it could simply refuse to run it unless-and-until the
> administrator positively accepts that situation with a configuration flag
> which says allow "open" scripts to be run.
Anyone please correct me if I'm wrong but, sudo isn't designed that
way. It affects the permission of specific files (whether they be
binaries, scripts, or plain text files) allowing non-priveledged users a
higher level of access with copious logging....
It is not a chrooted environment.
>
> Am I asking too much? why does sudo handle initial PATH issues within it's
> remit (and it doesn't stop a script itself setting an equally awful PATH
> selection after sudo initially sanitized it) to help stop a user shooting
> themselves in the foot, and then it gives them a cannon to blow the
> unsuspecting administrators head off ;-o
I think you may be asking too much.. :-] It handles the initial path
for just the reason you stated, to protect you from a malicious user who
actually knows how to exploit a system. It is not designed to protect
you from yourself...
> In my heart of hearts I know and agree with you that I *need* to consolidate
> and take control of all those lower level scripts and having top-level
> checking isn't really sufficient so I still need to address the entire
> issue.
Problem solved then... ;-]
> In a sense the problem also boils down to one of, without sudo, if I as a
> root administrator run one of those scripts can I *guarantee* no-one's
> changed any of the commands to do something "naughty" when it's run by root
If the answer to that question is no, sudo will not help you. If you
run a script as root that calls other scripts that are not writeable
*only* by root, then you are lighting the proverbial cannon yourself.
With your head inside to see what's going on... ;-]
--
=====================
Jeff Kennedy
Unix Administrator
AMCC
jlkennedy at amcc.com
More information about the sudo-users
mailing list