[sudo-users] Keep LD_LIBRAY_PATH

Wed Nov 15 07:52:25 EST 2006

Hi,

we came here to the same solution.
Resourcing the enviroment is the only way to keep the vars. But if we
know this, an attacker knows the same.
But ultimate security won't ever be achieved.

Thanks
Jan

Huibert.Kivits at mail.ing.nl wrote:
> Hi,
>
> Someone over here came with an elegant solution. Commands or scripts that are susceptible to this behaviour are to be run through a wrapper script. In our case, /usr/bin/doit.
> People who need to run a specific sudo, are required to run it like this:
> sudo /usr/bin/doit <original command>
> Instead of just:
> sudo <original command>
>
> The code of the doit script is simply as follows:
>
> #!/bin/ksh
>  
> # @(#)  doit 1.1 3/9/05 
>  
> export SHELL=/usr/bin/login
> $*
>
> Obviously, you will need to define your sudo authorizations in such a way that employees are forced to use the wrapper script. At our company, we exclusively authorize sudo via LDAP, so the attribute would be like this:
> sudoCommand: /usr/bin/doit <original command>
>
> Give it a try. It works.
>
> Obviously, using the noexec option on Solaris and some other UNIX flavors might also be helpful. The noexec option does not work on AIX, but "doit" has proven to be a very effective alternative.
>
> Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen / Med vänliga hälsningar / nuosirdziausi linkejimai,
>
>
> Huibert Kivits
> MSO UNIX / Consultant Information Security
> OPS&ITB/DCO/G&BS/S&C/Team 2
> Locatiecode NA 06.86
> T (020) 563 73 33, F (020) 563 79 13
> E Huibert.Kivits at mail.ing.nl
> E Algemene mailbox: "ITC MSO UNIX"
> IRM-a:  NL DCO S&C MIDRANGE  |  ASIM/Infoman: AGISCOS
> "...all too often, when organizations develop information security programs, they treat security issues as a simple 'check-box' on the list of required corporate functions."
> Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001, ISBN: 0-596-00130-4
>
>
>
> -----Oorspronkelijk bericht-----
> Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Schernau, Ed
> Verzonden: donderdag 2 november 2006 18:56
> Aan: Russell Van Tassell; Todd C. Miller
> CC: sudo-users at courtesan.com
> Onderwerp: Re: [sudo-users] Keep LD_LIBRAY_PATH
>
>
> Until someone breaks out of your shell script and ends up at a root prompt. 
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Russell Van Tassell
> Sent: Thursday, November 02, 2006 12:39 PM
> To: Todd C. Miller
> Cc: sudo-users at courtesan.com
> Subject: Re: [sudo-users] Keep LD_LIBRAY_PATH
>
> On Thu, Nov 02, 2006 at 09:46:01AM -0500, Todd C. Miller wrote:
>   
>> In message <4549F682.4080200 at gmail.com>
>> 	so spake Jan Albrecht (jan.albrecht):
>>
>>     
>>> I think crle is no option as I have to use on a system eviroment
>>>       
> where
>   
>>> HP-UX, AIX, Linux and Solaris are running. So there must be a system 
>>> wide solution.
>>>
>>> Is there no native way by sudo?
>>>       
>> The problem is that most dynamic linkers remove LD_LIBRAY_PATH when 
>> running a setuid program (like sudo) so by the time sudo runs it is 
>> not even in the environment.
>>
>> If you cannot change the global list of allowed shared library 
>> locations you can always make a script that just sets the variable 
>> appropriately and then executes the program that needs it.
>>
>>  - todd
>>     
>
> *nod*  I mentioned this a day or two ago... realistically, if you're using sudo chances are you really don't want to simply blindly pass through something like LD_LIBRARY_PATH -- the possible nastiness there is, well... probably outside of this discussion.
>
> It's really best to just write a simple wrapper script and name it something conscipicuous with regards to the actual executeable:
>
> -- begin
> #!/sbin/sh
>
> LD_LIBRARY_PATH=/path/to/my/lib
> export LD_LIBRARY_PATH
> /path/to/my/bin
> -- end
>
>
>   