how to prevent ./*

Martin Vazquez mtrash1 at hotmail.com
Wed Nov 12 12:16:14 EST 2003 

It is a pitty that sudo does not contemplate ./*, since without it, any 
individual restriction you want to impose can be easily bypassed.

thanks to all the answers




>From: Howard Owen <hbo at egbok.com>
>To: Martin Vazquez <mtrash1 at hotmail.com>
>CC: Eric.Ladner at chevrontexaco.com, shadhanker at gmx.net,sudo-users at sudo.ws
>Subject: RE: how to prevent ./*
>Date: Wed, 12 Nov 2003 08:19:32 -0800
>
> >From sudoers(5):
>
>	A Cmnd_List is a list of one or more commandnames, directories,
>	and other aliases.  A commandname is a fully qualified filename
>	which may include shell-style wildcards ..
>
>So neither the plain command name, nor ./name are permitted, since they
>are not fully qualified.
>
>If you want to prevent a user from running /bin/ls, for example, you
>can specify the full path. But as you note the user can simply copy the
>executable somewhere else and run that. Since you can specify shell
>"glob" expressions, you could do this:
>
>	test2   ALL=(ALL)       ALL,!/ls,!/*/ls,!/*/*/ls
>
>And so on down to the limit of your filesystem's nested directories.
>Note however that they could name the file 'foo' and get around any such
>restrictions.
>
>On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote:
> > Thanks, however, sudoers' syntax won't let me do that.
> >
> >
> > >From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at chevrontexaco.com>
> > >To: "Martin Vazquez" <mtrash1 at hotmail.com>, shadhanker at gmx.net,
> > >sudo-users at sudo.ws
> > >Subject: RE: how to prevent ./*
> > >Date: Wed, 12 Nov 2003 08:08:44 -0600
> > >
> > >
> > >How about just !XX?
> > >
> > >-----Original Message-----
> > >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On
> > >Behalf Of Martin Vazquez
> > >Sent: Wednesday, November 12, 2003 6:31 AM
> > >To: shadhanker at gmx.net; sudo-users at sudo.ws
> > >Subject: Re: how to prevent ./*
> > >
> > >
> > >
> > >Hi Rahul,
> > >
> > >Thank you very much for your answer.
> > >Unfortunately, I did not express myself correctly in my initial mail.
> > >When I
> > >configure !/usr/bin/XX, then the users are still alowed to do sudo 
>./XX,
> > >
> > >because ./does not match with /usr/bin.
> > >
> > >Any further idea?
> > >
> > >Thanks again
> > >
> > >Martin
> > >
> > > >From: "Rahul" <shadhanker at gmx.net>
> > > >To: "Martin Vazquez" <mtrash1 at hotmail.com>,<sudo-users at sudo.ws>
> > > >Subject: Re: how to prevent ./*
> > > >Date: Wed, 12 Nov 2003 14:41:58 +0530
> > > >
> > > >Hello Martin,
> > > >
> > > >You can configure sudoers files with "!/usr/bin/XX
> > > >But make sure that the user(whose in the sudoers file) are using $ 
>sudo
> > >
> > > >./XX  [or] $ sudo /usr/bin/XX
> > > >
> > > >NOT just
> > > >
> > > >$./XX or
> > > >$/usr/bin/XX
> > > >
> > > >Hope this helps and let me how it works.
> > > >
> > > >Thanks and Regards,
> > > >-sadha
> > > >
> > > >
> > > > > Can anyone tell me how to configure sudoers in order to prevent
> > > > > someone
> > > >from
> > > > > doing ./* ?
> > > > > I am trying to prevent someone from executing a command XX, so I
> > > >configured
> > > > >
> > > > > !/usr/bin/XX
> > > > >
> > > > > but still that user can go and do cd /usr/bin, ./XX.
> > > > >
> > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error.
> > > > >
> > > > > Can anyone tell how to do it?
> > > > >
> > > > > By the way, is it possible to include subdirectories when putting
> > > >wildcards?
> > > > > For instance, I would like !/usr/* to prevent from doing 
>everything
> > > >under
> > > > > /usr, including subdirectories. Any idea?
> > > > >
> > > > > Thanks a lot
> > > > >
> > > > > Martin
> > > > >
> > > > > _________________________________________________________________
> > > > > Protect your PC - get McAfee.com VirusScan Online
> > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > > >
> > > > > ____________________________________________________________
> > > > > sudo-users mailing list <sudo-users at sudo.ws>
> > > > > For list information, options, or to unsubscribe, visit:
> > > > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > > > >
> > > >
> > > >
> > > >---
> > > >Outgoing mail is certified Virus Free.
> > > >Checked by AVG anti-virus system (http://www.grisoft.com).
> > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003
> > > >
> > >
> > >_________________________________________________________________
> > >Great deals on high-speed Internet access as low as $26.95.
> > >https://broadband.msn.com (Prices may vary by service area.)
> > >
> > >____________________________________________________________
> > >sudo-users mailing list <sudo-users at sudo.ws>
> > >For list information, options, or to unsubscribe, visit:
> > >http://www.sudo.ws/mailman/listinfo/sudo-users
> > >
> > >
> >
> > _________________________________________________________________
> > Is your computer infected with a virus?  Find out with a FREE computer 
>virus
> > scan from McAfee.  Take the FreeScan now!
> > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
>

_________________________________________________________________
Crave some Miles Davis or Grateful Dead?  Your old favorites are always 
playing on MSN Radio Plus. Trial month free! 
http://join.msn.com/?page=offers/premiumradio

More information about the sudo-users mailing list