how to prevent ./*

Howard Owen hbo at egbok.com
Wed Nov 12 15:13:41 EST 2003


Doesn't work that way for me:

hbo at owen|1043> sudo grep test2 /etc/sudoers
test2   ALL= /bin/cp,   !/bin/cp /etc/shadow
hbo at owen|1044> su - test2
Password:
-bash-2.05b$ sudo cp /etc/shadow .
Password:
-bash-2.05b$ sudo /bin/cp /etc/shadow .
-bash-2.05b$ sudo -V
Sudo version 1.6.6
-bash-2.05b$ rm -f shadow

It looks like it's taking the first match.

On Wed, 2003-11-12 at 11:36, Martin Vazquez wrote:
> Please forgive me for being so insistent. I did not want to make too many 
> explanations before because I wanted to make it simple.
> 
> I need to allow a certain user to copy and edit as root a lot of files, but 
> I don't want him to either copy or edit for example files under /usr/bin, or 
> /etc/shadow.
> 
> When I do :    test ALL= /usr/bin/cp,  !/usr/bin/cp /etc/shadow
> 
> bash-2.03$ sudo cp /etc/shadow $HOME
> Sorry, user alcatel is not allowed to execute '/usr/bin/cp /etc/shadow 
> /opt/netmgt/users/alcatel' as root on delserva5.
> bash-2.03$ cd /usr/bin
> bash-2.03$ sudo ./cp /etc/shadow $HOME
> bash-2.03$
> 
> and the copy is done.
> 
> 
> I think that in that case the ./ is not expended, could that be possible?
> 
> Any ideas??
> 
> 
> 
> >From: Howard Owen <hbo at egbok.com>
> >To: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at chevrontexaco.com>
> >CC: Martin Vazquez <mtrash1 at hotmail.com>, shadhanker at gmx.net,   
> >sudo-users at sudo.ws
> >Subject: RE: how to prevent ./*
> >Date: Wed, 12 Nov 2003 10:38:57 -0800
> >
> >
> >On Wed, 2003-11-12 at 09:31, Ladner, Eric (Eric.Ladner) wrote:
> > > Well, I'd have to check, but I think that sudo expands all commands to a
> > > full path before checking aginst the rules (i.e. you type ./ls, $PWD is
> > > /usr/bin, so you really are executing /usr/bin/ls, then check the
> > > rules).
> > >
> >
> >That's true:
> >
> >hbo at owen|1027> su - test2
> >Password:
> >-bash-2.05b$ sudo grep test2 /etc/sudoers
> >Password:
> >test2   ALL=(ALL)       ALL,!/bin/ls
> >-bash-2.05b$ cd /bin
> >-bash-2.05b$ ./ls
> >.. (listing) ..
> >-bash-2.05b$ sudo ./ls
> >Sorry, user test2 is not allowed to execute './ls' as root on
> >owen.egbok.com.
> >
> >
> >
> > > Eric
> > >
> > > -----Original Message-----
> > > From: Martin Vazquez [mailto:mtrash1 at hotmail.com]
> > > Sent: Wednesday, November 12, 2003 11:16 AM
> > > To: hbo at egbok.com
> > > Cc: Ladner, Eric (Eric.Ladner); shadhanker at gmx.net; sudo-users at sudo.ws
> > > Subject: RE: how to prevent ./*
> > >
> > >
> > >
> > > It is a pitty that sudo does not contemplate ./*, since without it, any
> > > individual restriction you want to impose can be easily bypassed.
> > >
> > > thanks to all the answers
> > >
> > >
> > >
> > >
> > > >From: Howard Owen <hbo at egbok.com>
> > > >To: Martin Vazquez <mtrash1 at hotmail.com>
> > > >CC: Eric.Ladner at chevrontexaco.com,
> > > >shadhanker at gmx.net,sudo-users at sudo.ws
> > > >Subject: RE: how to prevent ./*
> > > >Date: Wed, 12 Nov 2003 08:19:32 -0800
> > > >
> > > > >From sudoers(5):
> > > >
> > > >	A Cmnd_List is a list of one or more commandnames, directories,
> > > >	and other aliases.  A commandname is a fully qualified filename
> > > >	which may include shell-style wildcards ..
> > > >
> > > >So neither the plain command name, nor ./name are permitted, since they
> > >
> > > >are not fully qualified.
> > > >
> > > >If you want to prevent a user from running /bin/ls, for example, you
> > > >can specify the full path. But as you note the user can simply copy the
> > >
> > > >executable somewhere else and run that. Since you can specify shell
> > > >"glob" expressions, you could do this:
> > > >
> > > >	test2   ALL=(ALL)       ALL,!/ls,!/*/ls,!/*/*/ls
> > > >
> > > >And so on down to the limit of your filesystem's nested directories.
> > > >Note however that they could name the file 'foo' and get around any
> > > >such restrictions.
> > > >
> > > >On Wed, 2003-11-12 at 11:40 -0300, Martin Vazquez wrote:
> > > > > Thanks, however, sudoers' syntax won't let me do that.
> > > > >
> > > > >
> > > > > >From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at chevrontexaco.com>
> > > > > >To: "Martin Vazquez" <mtrash1 at hotmail.com>, shadhanker at gmx.net,
> > > > > >sudo-users at sudo.ws
> > > > > >Subject: RE: how to prevent ./*
> > > > > >Date: Wed, 12 Nov 2003 08:08:44 -0600
> > > > > >
> > > > > >
> > > > > >How about just !XX?
> > > > > >
> > > > > >-----Original Message-----
> > > > > >From: sudo-users-bounces at sudo.ws
> > > > > >[mailto:sudo-users-bounces at sudo.ws] On Behalf Of Martin Vazquez
> > > > > >Sent: Wednesday, November 12, 2003 6:31 AM
> > > > > >To: shadhanker at gmx.net; sudo-users at sudo.ws
> > > > > >Subject: Re: how to prevent ./*
> > > > > >
> > > > > >
> > > > > >
> > > > > >Hi Rahul,
> > > > > >
> > > > > >Thank you very much for your answer.
> > > > > >Unfortunately, I did not express myself correctly in my initial
> > > > > >mail. When I configure !/usr/bin/XX, then the users are still
> > > > > >alowed to do sudo
> > > >./XX,
> > > > > >
> > > > > >because ./does not match with /usr/bin.
> > > > > >
> > > > > >Any further idea?
> > > > > >
> > > > > >Thanks again
> > > > > >
> > > > > >Martin
> > > > > >
> > > > > > >From: "Rahul" <shadhanker at gmx.net>
> > > > > > >To: "Martin Vazquez" <mtrash1 at hotmail.com>,<sudo-users at sudo.ws>
> > > > > > >Subject: Re: how to prevent ./*
> > > > > > >Date: Wed, 12 Nov 2003 14:41:58 +0530
> > > > > > >
> > > > > > >Hello Martin,
> > > > > > >
> > > > > > >You can configure sudoers files with "!/usr/bin/XX
> > > > > > >But make sure that the user(whose in the sudoers file) are using
> > > > > > >$
> > > >sudo
> > > > > >
> > > > > > >./XX  [or] $ sudo /usr/bin/XX
> > > > > > >
> > > > > > >NOT just
> > > > > > >
> > > > > > >$./XX or
> > > > > > >$/usr/bin/XX
> > > > > > >
> > > > > > >Hope this helps and let me how it works.
> > > > > > >
> > > > > > >Thanks and Regards,
> > > > > > >-sadha
> > > > > > >
> > > > > > >
> > > > > > > > Can anyone tell me how to configure sudoers in order to
> > > > > > > > prevent someone
> > > > > > >from
> > > > > > > > doing ./* ?
> > > > > > > > I am trying to prevent someone from executing a command XX, so
> > >
> > > > > > > > I
> > > > > > >configured
> > > > > > > >
> > > > > > > > !/usr/bin/XX
> > > > > > > >
> > > > > > > > but still that user can go and do cd /usr/bin, ./XX.
> > > > > > > >
> > > > > > > > I cannot seem to put ! ./XX in sudoers, I get a syntax error.
> > > > > > > >
> > > > > > > > Can anyone tell how to do it?
> > > > > > > >
> > > > > > > > By the way, is it possible to include subdirectories when
> > > > > > > > putting
> > > > > > >wildcards?
> > > > > > > > For instance, I would like !/usr/* to prevent from doing
> > > >everything
> > > > > > >under
> > > > > > > > /usr, including subdirectories. Any idea?
> > > > > > > >
> > > > > > > > Thanks a lot
> > > > > > > >
> > > > > > > > Martin
> > > > > > > >
> > > > > > > > ______________________________________________________________
> > > > > > > > ___
> > > > > > > > Protect your PC - get McAfee.com VirusScan Online
> > > > > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > > > > > >
> > > > > > > > ____________________________________________________________
> > > > > > > > sudo-users mailing list <sudo-users at sudo.ws>
> > > > > > > > For list information, options, or to unsubscribe, visit:
> > > > > > > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >---
> > > > > > >Outgoing mail is certified Virus Free.
> > > > > > >Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > > > >Version: 6.0.534 / Virus Database: 329 - Release Date: 10/31/2003
> > > > > > >
> > > > > >
> > > > > >_________________________________________________________________
> > > > > >Great deals on high-speed Internet access as low as $26.95.
> > > > > >https://broadband.msn.com (Prices may vary by service area.)
> > > > > >
> > > > > >____________________________________________________________
> > > > > >sudo-users mailing list <sudo-users at sudo.ws>
> > > > > >For list information, options, or to unsubscribe, visit:
> > > > > >http://www.sudo.ws/mailman/listinfo/sudo-users
> > > > > >
> > > > > >
> > > > >
> > > > > _________________________________________________________________
> > > > > Is your computer infected with a virus?  Find out with a FREE
> > > > > computer
> > > >virus
> > > > > scan from McAfee.  Take the FreeScan now!
> > > > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > > > >
> > > > > ____________________________________________________________
> > > > > sudo-users mailing list <sudo-users at sudo.ws>
> > > > > For list information, options, or to unsubscribe, visit:
> > > > > http://www.sudo.ws/mailman/listinfo/sudo-users
> > > >
> > >
> > > _________________________________________________________________
> > > Crave some Miles Davis or Grateful Dead?  Your old favorites are always
> > > playing on MSN Radio Plus. Trial month free!
> > > http://join.msn.com/?page=offers/premiumradio
> > >
> >--
> >Howard Owen                      "Even if you are on the right
> >EGBOK Consultants                 track, you'll get run over if you
> >hbo at egbok.com    +1-650-339-5733  just sit there." - Will Rogers
> >
> >
> 
> _________________________________________________________________
> MSN Messenger with backgrounds, emoticons and more. 
> http://www.msnmessenger-download.com/tracking/cdp_customize
-- 
Howard Owen                      "Even if you are on the right
EGBOK Consultants                 track, you'll get run over if you
hbo at egbok.com    +1-650-339-5733  just sit there." - Will Rogers




More information about the sudo-users mailing list