[sudo-users] regarding shell escape

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Thu Dec 29 14:18:03 EST 2005 

Hi Ran,

Oh, well, it was just those two lines, basically:

  export SHELL=/usr/bin/false
  $*

Good luck !

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,


Huibert Kivits
OPS&ITB/WPS/UAS/MSO UNIX
Locatiecode NA 00.92
T (020) 563 72 77, F (020) 563 70 02
E Huibert.Kivits at mail.ing.nl

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4



-----Oorspronkelijk bericht-----
Van: Ran Li [mailto:Ran.Li at rti.rogers.com] 
Verzonden: donderdag 29 december 2005 20:07
Aan: Kivits, H.P. (Huibert); sudo-users at sudo.ws
Onderwerp: RE: [sudo-users] regarding shell escape


Hi Huibert,

Thanks for sharing the info, I forgot to put sudooption=noexec when create NOEXEC role, it's working now.

For the script, thanks for sharing it too, but somehow, I could not find it in the mail attachment, may I ask how did you share it?

Appreciate!

Regards,

Ran

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Huibert.Kivits at mail.ing.nl
Sent: Thursday, December 29, 2005 1:52 PM
To: Ran Li; sudo-users at sudo.ws
Subject: RE: [sudo-users] regarding shell escape


Hi Ran,

At our business unit, sudo is only allowed to be authorized through LDAP.

You will have to create a folder ou=SUDOers in your LDAP directory server to store sudo authorizations. Though it is not a technical requirement, I would recommend you to create an entry cn=defaults in this folder. In this entry, you can set a general option for noexec by adding a sudoOption attribute:
sudoOption: noexec

In some cases, you may wish to make an exception. That is because otherwise, you will not be able to have any script executed via sudo.

Sudo's that require an exception to the general noexec option should be put in separate entries under ou=SUDOers. You will have to add the following attribute to these entries:
sudoOption: !noexec

Of course, you could do the reverse. But from a security perspective, it is better to do it this way.

With regard to the script: I did not consult its author, but I guess there are no patents pending :-) The script is not a big deal anyway. Please use it, we're happy to give something back to the community.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,


Huibert Kivits

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions." Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4



-----Oorspronkelijk bericht-----
Van: Ran Li [mailto:Ran.Li at rti.rogers.com] 
Verzonden: donderdag 29 december 2005 19:33
Aan: Kivits, H.P. (Huibert); sudo-users at sudo.ws
Onderwerp: RE: [sudo-users] regarding shell escape


Hi Huibert / list,

Are you using ldap as sudoer source? if so how do you implement noexec option on it? Could you share some tips on that? 

Regarding the script to prevent shell escape, is that shareable over here? Thanks.

Regards,

Ran

-----Original Message-----
From: Huibert.Kivits at mail.ing.nl [mailto:Huibert.Kivits at mail.ing.nl] 
Sent: Thursday, December 29, 2005 1:18 PM
To: Ran Li; sudo-users at sudo.ws
Subject: RE: [sudo-users] regarding shell escape


Hi Ran,

The noexec-option does not work on all platforms. It works on Solaris, but definitely not on AIX.

With regard to "vi", there is another option for preventing shell escapes. Instead of allowing "sudo vi", you should allow "sudo -e" or "sudoedit" only.

For AIX, a guru over here wrote a script which should prevent all shell escapes, for any sudo. You should test it on other platforms though. We manage Solaris systems as well, but with the noexec-option available, why rely on a script?

The script only matters for programs that offer the opportunity for a shell escape. It is not recommended to use it in other circumstances, as it would make the sudo syntax even more complicated. It may even challenge your ability to further restrict sudo commands. The sudo syntax (at least, if you authorize sudo via LDAP, as we do) only allows for a limited number of mandatory options.

Basically, what you need to do is:
- Place the script somewhere on the system, say: /usr/local/bin/script, or /usr/bin/script
- It is not recommended that anyone can modify the script. Permissions 555 are OK.
- You should authorize sudo's to be executed like the following:
  sudo /usr/local/bin/script <the_real_command>
- The script contains two lines:
  export SHELL=/usr/bin/false
  $*
- This script works for the Korn Shell. I'm not really a shell expert, so I do not know for sure if this will work on other shells as well. It should be a piece of cake to test it, though.

Good luck!

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,


Huibert Kivits

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions." Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4



-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Ran Li
Verzonden: donderdag 29 december 2005 17:50
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] regarding shell escape


Hello all,

I m using ldap for sudoer entries, yet I cannot prevent shell escape properly, my platforms are SunOS5.9, 5.10, HPUX11.11, Linux 2.6.9-11, sudo version 1.6.8p12

after compiling, do `sudo -V | grep "dummy exec"` I got
# ./sudo -V | grep "dummy exec"
File containing dummy exec functions: /opt/sudo/libexec/sudo_noexec.so

and sudo_noexec.so is on place.

I tried to create a role called noexec ... does not forbid the vi shell escape

LDAP Role: Noexec
  Commands:
    /usr/bin/less
    /bin/vi
    /usr/bin/vi

I also tried to add noexec as a prefix of a sudocommand, does not work either ..

LDAP Role: Admin
  Commands:
    NOEXEC: /usr/bin/less
    NOEXEC: /bin/vi
    NOEXEC: /usr/bin/vi

other than completely block the vi command, anybody has the experience to prevent shell escape properly using ldap sudoer entries? Thanks.

Regards,

Ran

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them.
-----------------------------------------------------------------
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them.
-----------------------------------------------------------------


____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------

More information about the sudo-users mailing list