[sudo-users] Keep LD_LIBRAY_PATH

Michael Potter pottmi at gmail.com
Mon Nov 6 09:24:50 EST 2006


I second that request for the technique that would allow a non-privileged
user to get a root prompt using the listed shell script.

I am not asking that because I don't think it could possibly exist, I am
asking that because this is a common technique and if someone knows of a
vunerability to this, I would really like to know.

A previous listed mentioned that they were not allowed to use wrapper
scripts because their security people had a strict rule.  However they were
allowed to put rules in sudoers that were suspect: (ALL,!root).

One improvement that could be made to sudo that would make it more secure
regarding shell scripts is if sudo confirmed that the shell script's owner
and mode are secure. e.g. if a shell script is being invoked as root, it's
owner should be root, and mode should be 700. (actually, I think the rules
should be a little more complex, but I think that gives you an idea of what
I would want).

-- 
Michael Potter

On 11/2/06, Russell Van Tassell <russell+sudo-users at loosenut.com> wrote:
>
> On Thu, Nov 02, 2006 at 12:55:34PM -0500, Schernau, Ed wrote:
> > Until someone breaks out of your shell script and ends up at a root
> > prompt.
>
> Well, considering that there are no user-level/configureable variables
> in there or anything, it exposes no other issues that aren't already
> present in either the system, itself, or any other scripted solutions.
> Unless I'm somehow missing something here... please feel free to point
> out the specific issue.
>
> Regards,
> Russell
>
> --
> Russell M. Van Tassell
> russell at loosenut.com
>
> "It is a mistake to think you can solve any major problems just with
> potatoes."                                              - Douglas Adams
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>



More information about the sudo-users mailing list