[sudo-users] regarding shell escape

Ran Li Ran.Li at rti.rogers.com
Thu Dec 29 13:32:53 EST 2005

Hi Huibert / list,

Are you using ldap as sudoer source? if so how do you implement noexec option on it? Could you share some tips on that? 

Regarding the script to prevent shell escape, is that shareable over here? Thanks.



-----Original Message-----
From: Huibert.Kivits at mail.ing.nl [mailto:Huibert.Kivits at mail.ing.nl] 
Sent: Thursday, December 29, 2005 1:18 PM
To: Ran Li; sudo-users at sudo.ws
Subject: RE: [sudo-users] regarding shell escape

Hi Ran,

The noexec-option does not work on all platforms. It works on Solaris, but definitely not on AIX.

With regard to "vi", there is another option for preventing shell escapes. Instead of allowing "sudo vi", you should allow "sudo -e" or "sudoedit" only.

For AIX, a guru over here wrote a script which should prevent all shell escapes, for any sudo. You should test it on other platforms though. We manage Solaris systems as well, but with the noexec-option available, why rely on a script?

The script only matters for programs that offer the opportunity for a shell escape. It is not recommended to use it in other circumstances, as it would make the sudo syntax even more complicated. It may even challenge your ability to further restrict sudo commands. The sudo syntax (at least, if you authorize sudo via LDAP, as we do) only allows for a limited number of mandatory options.

Basically, what you need to do is:
- Place the script somewhere on the system, say: /usr/local/bin/script, or /usr/bin/script
- It is not recommended that anyone can modify the script. Permissions 555 are OK.
- You should authorize sudo's to be executed like the following:
  sudo /usr/local/bin/script <the_real_command>
- The script contains two lines:
  export SHELL=/usr/bin/false
- This script works for the Korn Shell. I'm not really a shell expert, so I do not know for sure if this will work on other shells as well. It should be a piece of cake to test it, though.

Good luck!

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions." Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Ran Li
Verzonden: donderdag 29 december 2005 17:50
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] regarding shell escape

Hello all,

I m using ldap for sudoer entries, yet I cannot prevent shell escape properly, my platforms are SunOS5.9, 5.10, HPUX11.11, Linux 2.6.9-11, sudo version 1.6.8p12

after compiling, do `sudo -V | grep "dummy exec"` I got
# ./sudo -V | grep "dummy exec"
File containing dummy exec functions: /opt/sudo/libexec/sudo_noexec.so

and sudo_noexec.so is on place.

I tried to create a role called noexec ... does not forbid the vi shell escape

LDAP Role: Noexec

I also tried to add noexec as a prefix of a sudocommand, does not work either ..

LDAP Role: Admin
    NOEXEC: /usr/bin/less
    NOEXEC: /bin/vi
    NOEXEC: /usr/bin/vi

other than completely block the vi command, anybody has the experience to prevent shell escape properly using ldap sudoer entries? Thanks.



sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them.

More information about the sudo-users mailing list