[sudo-users] Keep LD_LIBRAY_PATH

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Mon Nov 6 09:30:39 EST 2006


Someone over here came with an elegant solution. Commands or scripts that are susceptible to this behaviour are to be run through a wrapper script. In our case, /usr/bin/doit.
People who need to run a specific sudo, are required to run it like this:
sudo /usr/bin/doit <original command>
Instead of just:
sudo <original command>

The code of the doit script is simply as follows:

# @(#)  doit 1.1 3/9/05 
export SHELL=/usr/bin/login

Obviously, you will need to define your sudo authorizations in such a way that employees are forced to use the wrapper script. At our company, we exclusively authorize sudo via LDAP, so the attribute would be like this:
sudoCommand: /usr/bin/doit <original command>

Give it a try. It works.

Obviously, using the noexec option on Solaris and some other UNIX flavors might also be helpful. The noexec option does not work on AIX, but "doit" has proven to be a very effective alternative.

Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,

Huibert Kivits
MSO UNIX / Consultant Information Security
Locatiecode NA 06.86
T (020) 563 73 33, F (020) 563 79 13
E Huibert.Kivits at mail.ing.nl
E Algemene mailbox: "ITC MSO UNIX"
"...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Schernau, Ed
Verzonden: donderdag 2 november 2006 18:56
Aan: Russell Van Tassell; Todd C. Miller
CC: sudo-users at courtesan.com
Onderwerp: Re: [sudo-users] Keep LD_LIBRAY_PATH

Until someone breaks out of your shell script and ends up at a root prompt. 

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Russell Van Tassell
Sent: Thursday, November 02, 2006 12:39 PM
To: Todd C. Miller
Cc: sudo-users at courtesan.com
Subject: Re: [sudo-users] Keep LD_LIBRAY_PATH

On Thu, Nov 02, 2006 at 09:46:01AM -0500, Todd C. Miller wrote:
> In message <4549F682.4080200 at gmail.com>
> 	so spake Jan Albrecht (jan.albrecht):
> > I think crle is no option as I have to use on a system eviroment
> > HP-UX, AIX, Linux and Solaris are running. So there must be a system 
> > wide solution.
> > 
> > Is there no native way by sudo?
> The problem is that most dynamic linkers remove LD_LIBRAY_PATH when 
> running a setuid program (like sudo) so by the time sudo runs it is 
> not even in the environment.
> If you cannot change the global list of allowed shared library 
> locations you can always make a script that just sets the variable 
> appropriately and then executes the program that needs it.
>  - todd

*nod*  I mentioned this a day or two ago... realistically, if you're using sudo chances are you really don't want to simply blindly pass through something like LD_LIBRARY_PATH -- the possible nastiness there is, well... probably outside of this discussion.

It's really best to just write a simple wrapper script and name it something conscipicuous with regards to the actual executeable:

-- begin

-- end

Russell M. Van Tassell
russell at loosenut.com

Try not to have a good time ... This is supposed to be educational.
                                                       -- Charles Schulz

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users

Use of email is inherently insecure. Confidential information, including account information, and personally identifiable information, should not be transmitted via email, or email attachment.  In no event shall Citizens or any of its affiliates accept any responsibility for the loss, use or misuse of any information including confidential information, which is sent to Citizens or its affiliates via email, or email attachment. Citizens does not guarantee the accuracy of any email or email attachment, that an email will be received by Citizens or that Citizens will respond to any email.
This email message is confidential and/or privileged. It is to be used by the intended recipient only.  Use of the information contained in this email by anyone other than the intended recipient is strictly prohibited. If you have received this message in error, please notify the sender immediately and promptly destroy any record of this email.

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list