[sudo-users] execute blocked command from a script

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Fri May 26 07:11:19 EDT 2006 

Hi Ran,

Unfortunately, the NOEXEC option does not work on all platforms. For sure, it doesn't work on AIX.

Some smart guy at our company invented a way around this problem. Scripts - and any command that offers a shell escape - are only allowed to be run through a wrapper. This wrapper in itself is a script and looks like this:

#!/bin/ksh
export SHELL=/usr/bin/login
$*

So what you basically do is the following:
- Create a script /usr/local/bin/wrapper
- Put the aforementioned lines in the script
- Permissions should be 555, and root should be the owner
- Authorize sudo's like follows:
  sudoCommand: /usr/local/bin/wrapper <the intended command or script>
  (This is how you would authorize the sudo through LDAP; dunno about a local /etc/sudoers file)

Success!

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,


Huibert Kivits

"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4



-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Ran Li
Verzonden: donderdag 25 mei 2006 15:16
Aan: Matthew Stier; sudo-users at sudo.ws
Onderwerp: Re: [sudo-users] execute blocked command from a script


Shell escape can be blocked by NOEXEC option, so I would not worry about that, unless there are other ways ... what I meant was even you can block vi, user still can insert a line using any other editor, so the question is ... if there is another way to block the command from being executed which already been blocked by "!/command" entry.

Thanks and regards,

Ran

-----Original Message-----
From: Matthew Stier [mailto:Matthew.Stier at us.fujitsu.com] 
Sent: Thursday, May 25, 2006 8:56 AM
To: Ran Li
Subject: Re: [sudo-users] execute blocked command from a script


Worse than that.

You can use the stock 'vi' to spawn an interactive subshell, with the 
same priviledges as the user running 'vi'.

So if you give someone permissions to run 'vi' (and any command that 
permits opening an interactive subshell) as root, you've given them full

root access.


Ran Li wrote:
> hello all,
>
> I m using ldap based sudo, basically it allows users to do anything
> except some commands like "shutdown" (sudoCommand 
> !/usr/sbin/shutdown).
>
> As I did a test, when user execute "shutdown" command directly it will

> give the proper output and will prevent user from doing so, "Sorry,
> user is not allowed to execute '/usr/sbin/shutdown' as root on host"
>
> however, if user uses vi to edit a file/script, insert line "shutdown"

> and grant the execute permission to that script then it will be out of

> control.
>
> My question is, other than grant the user specific commands they need,

> is there a way to resolve this kind of issue?  Thanks.
>
> Regards,
>
> Ran
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit: 
> http://www.sudo.ws/mailman/listinfo/sudo-users
>   

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
-----------------------------------------------------------------
ATTENTION:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
-----------------------------------------------------------------

More information about the sudo-users mailing list