[sudo-users] execute blocked command from a script
Ran.Li at rci.rogers.com
Fri May 26 12:16:08 EDT 2006
Thanks for your reply, you solved my problem before. We don't have AIX in our environment yet, so you got me.
Regarding the question "execute blocked commands from a script", do you have any suggestion on that? If the matter is how to use it rather than sudo itself then I would like to hear your advise on how to consider this in an enterprise environment. Thanks again.
From: Huibert.Kivits at mail.ing.nl [mailto:Huibert.Kivits at mail.ing.nl]
Sent: Friday, May 26, 2006 7:11 AM
To: Ran Li; Matthew.Stier at us.fujitsu.com; sudo-users at sudo.ws
Subject: RE: [sudo-users] execute blocked command from a script
Unfortunately, the NOEXEC option does not work on all platforms. For sure, it doesn't work on AIX.
Some smart guy at our company invented a way around this problem. Scripts - and any command that offers a shell escape - are only allowed to be run through a wrapper. This wrapper in itself is a script and looks like this:
So what you basically do is the following:
- Create a script /usr/local/bin/wrapper
- Put the aforementioned lines in the script
- Permissions should be 555, and root should be the owner
- Authorize sudo's like follows:
sudoCommand: /usr/local/bin/wrapper <the intended command or script>
(This is how you would authorize the sudo through LDAP; dunno about a local /etc/sudoers file)
Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions." Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Ran Li
Verzonden: donderdag 25 mei 2006 15:16
Aan: Matthew Stier; sudo-users at sudo.ws
Onderwerp: Re: [sudo-users] execute blocked command from a script
Shell escape can be blocked by NOEXEC option, so I would not worry about that, unless there are other ways ... what I meant was even you can block vi, user still can insert a line using any other editor, so the question is ... if there is another way to block the command from being executed which already been blocked by "!/command" entry.
Thanks and regards,
From: Matthew Stier [mailto:Matthew.Stier at us.fujitsu.com]
Sent: Thursday, May 25, 2006 8:56 AM
To: Ran Li
Subject: Re: [sudo-users] execute blocked command from a script
Worse than that.
You can use the stock 'vi' to spawn an interactive subshell, with the
same priviledges as the user running 'vi'.
So if you give someone permissions to run 'vi' (and any command that
permits opening an interactive subshell) as root, you've given them full
Ran Li wrote:
> hello all,
> I m using ldap based sudo, basically it allows users to do anything
> except some commands like "shutdown" (sudoCommand
> As I did a test, when user execute "shutdown" command directly it will
> give the proper output and will prevent user from doing so, "Sorry,
> user is not allowed to execute '/usr/sbin/shutdown' as root on host"
> however, if user uses vi to edit a file/script, insert line "shutdown"
> and grant the execute permission to that script then it will be out of
> My question is, other than grant the user specific commands they need,
> is there a way to resolve this kind of issue? Thanks.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.
More information about the sudo-users