[sudo-users] sudo question
greenwaldjared at gmail.com
Tue Jan 3 09:58:16 EST 2006
Yea, this is definitely more the case. I have a few people that need
to be able to do a handful of commands in a certain directory that
require them to be root (make, sudoedit). There will def be a couple
files that are going to be setuid root though.
Well, this has given me a place to start from.
On 1/3/06, Huibert.Kivits at mail.ing.nl <Huibert.Kivits at mail.ing.nl> wrote:
> Hi Jared,
> Not sure this will help you. Just a few suggestions. These should work if you authorize sudo via LDAP. Otherwise, you may need to change a few things.
> - It is a bad idea to give someone sudo rights for "vi". Unless you're running an OS that allows for the "noexec" option, like Solaris. That's because otherwise, "vi" will allow for shell escapes. On other environments, one should only allow for "sudoedit" or "sudo -e".
> - A chroot jail environment shouldn't be necessary, as it is possible to limit authorizations by making the allowed sudo commands more explicit.
> So instead of authorizing "sudo /usr/bin/chown", you should authorize: "sudo /usr/bin/chown root <name of directory>/*"
> Instead of "vi", unless you're running an OS that allows for the "noexec" option, you could authorize as follows:
> "sudoedit <name of directory>/*"
> I would recommend that you perform some auditing on the directory concerned. It doesn't require great hacking skills to place a root kit in this directory, with the authorizations you are going to provide. In particular, you should be alert for setuid root files.
> Another recommendation is that you would test if the "noexec" option really works on your systems.
> Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
> Huibert Kivits
> OPS&ITB/WPS/UAS/MSO UNIX
> Locatiecode NA 00.92
> T (020) 563 72 77, F (020) 563 70 02
> E Huibert.Kivits at mail.ing.nl
> "...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
> Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4
> -----Oorspronkelijk bericht-----
> Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Jared Greenwald
> Verzonden: dinsdag 3 januari 2006 2:21
> Aan: sudo-users at sudo.ws
> Onderwerp: [sudo-users] sudo question
> I have a general question about sudo and/or sysadmin (I'm sure they overlap more often than not)...
> I need to give root access to a bunch of people on a particular directory. They need to have the files owned by root for testing purposes, but they also need to be able to run make and vi on them.
> Is there a way to create a chroot jail sort of setup with sudo to accomplish this?
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
> The information in this electronic mail message is private and
> confidential, and only intended for the addressee. Should you
> receive this message by mistake, you are hereby notified that
> any disclosure, reproduction, distribution or use of this
> message is strictly prohibited. Please inform the sender by
> reply transmission and delete the message without copying or
> opening it.
> Messages and attachments are scanned for all viruses known.
> If this message contains password-protected attachments, the
> files have NOT been scanned for viruses by the ING mail domain.
> Always scan attachments before opening them.
More information about the sudo-users