[sudo-users] (no subject)
Hugh_Pierce at freddiemac.com
Hugh_Pierce at freddiemac.com
Wed Dec 29 13:48:09 EST 2004
Reply:
We use perl wrappers to control what commands can get run.
In the passwd file:
rsync:x:65005:1:Rsync ID:/export/home/rsync:/export/home/rsync/rwrap.pl
# more rwrap.pl
#!/usr/bin/perl -w
#----------------------------------------------------------------------------
#
# Script Name: rwrap.pl
#
# Purpose: Secure transfer wrapper for login shells
#
# Usage: rwrap.pl
#
# $Id: rwrap.pl,v 1.1 2003/10/28 03:48:15 root Exp root $
#
#----------------------------------------------------------------------------
#
# Customization
#
#----------------------------------------------------------------------------
my $COMMAND = '/usr/local/bin/rsync --server -logtprz --delete .';
my $SUDO = '/usr/local/bin/sudo';
my @file_transfer_paths = qw(
/path/to/stuff
/etc/sudoers
); # no trailing '/' please. This is where you add valid paths.
my $send_mail = 1; # 1 = TRUE, 0 = FALSE
my $path_to_sendmail = '/usr/lib/sendmail';
my @recipients = qw(
dog at bark.com
);
#----------------------------------------------------------------------------
#
# Main
#
#----------------------------------------------------------------------------
my $file_transfer_path = join '|', @file_transfer_paths;
chomp(my $host=`uname -n | cut -d. -f1`);
my $from_email = "root\@$host";
if ($ARGV[1])
{
if ($ARGV[1] =~ /^$COMMAND /)
{
# Sending a file to this machine.
if ($ARGV[1] =~ /^$COMMAND
(($file_transfer_path)(?:\/[\
w\.\-]*)?)$/)
{
# Destination specified must not be a
subdirecto
ry of $file_transfer_path/
my $destination = $1;
if (-d $destination and $destination !~
/^($file
_transfer_path)(?:\/\.?)?$/)
{
&abort("Invalid rsync destination
(subdi
rectory of $file_transfer_path/). Will not rsync.");
}
else
{
# It's ok to rsync something INTO
$file_
transfer_path/
# For security, use good form in
calling
exec.
my ($command, @args) = split /\s+/,
$ARG
V[1];
#exec $SUDO, $ARGV[1];
exec "/usr/local/bin/sudo $ARGV[1]";
# exec $command, @args;
}
}
else
{
&abort("Invalid rsync destination. Will
not rsy
nc.");
}
}
else
{
&abort("Invalid command. Will not rsync.");
}
}
else
{
&abort("No command specified. Will not rsync.");
}
#----------------------------------------------------------------------------
#
# Abort!!
#
#----------------------------------------------------------------------------
sub abort
{
my $message = shift || ''; # avoid warning
my $command = $ARGV[1] || ''; # avoid warning
my $host = `hostname`;
$host =~ s/\..*//; # only care about first section
chomp $host; # only redundant if substitution succeeded
if ($send_mail)
{
open MAIL, "| $path_to_sendmail -t" or die "\n";
print MAIL "To: " . join (', ', @recipients) . "\n";
print MAIL "From: rsync Wrapper <$from_email>\n";
print MAIL "Subject: $host - rsync FAILED\n\n";
print MAIL "Attempted Command: $command\n";
print MAIL "Command: $COMMAND\n";
print MAIL "Warning Given: $message\n\n";
print MAIL "ARGV[0] is: $ARGV[0]\n";
print MAIL "ARGV[1] is: $ARGV[1]\n\n";
print MAIL "ENV is:\n";
for (sort keys %ENV)
{
print MAIL "\t$_ : $ENV{$_}\n";
}
close MAIL;
}
# Include newline so filename of wrapper is not divulged.
warn "$message\n";
exit;
}
Original:
[sudo-users] Distributing the sudoers file using rsync as a non root user
Paul M. Lambert plambert at plambert.net
Thu Sep 30 22:00:43 MDT 2004
Previous message: [sudo-users] Distributing the sudoers file using
rsync as a non root user
Next message: [sudo-users] group in Runas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sep 30, 2004, at 7:43 AM, Martin Schröder wrote:
> On 2004-09-30 16:15:33 +0200, martin f krafft wrote:
>> You are effectively giving the rsync user root rights to the local
>> and all remote machines. rsync can read /etc/shadow, and rsync can
>> copy binaries between machines (and locally) as root, preserving
>> permissions. yay, setuid shells!
>
> Yes. :-{
> This can be controlled a bit by setting options in
> ~/.ssh/authorized_keys
>
>
authorized_keys can only control what command is run. in this case,
that command is rsync, and it can write to any file it has write
privileges to. running it as root gives it write privileges to every
file, so it can essentially do anything it wants.
authorized_keys can't say "let the user run rsync, but don't let it
write to anything but /etc/sudoers," and even if it could, it wouldn't
help, because that's enough to compromise a system.
giving any local user write access to /etc/sudoers allows that user to
give itself full root privileges. changing the mechanism of writing to
something confusing like rsync doesn't change the outcome.
just as you wouldn't give a person you don't want in your house the job
of holding on to your housekeys and deciding who to give them to, any
account you allow to write to the sudoers file can put itself in it.
--plambert
Previous message: [sudo-users] Distributing the sudoers file using
rsync as a non root user
Next message: [sudo-users] group in Runas
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the sudo-users mailing list
More information about the sudo-users
mailing list