[sudo-users] Keep LD_LIBRAY_PATH

Michael Potter pottmi at gmail.com
Wed Nov 15 10:55:57 EST 2006 

The security problem is that you want to 'keep the vars'.  Whether you keep
the variables by re-sourcing the environment or Todd were to add a switch to
sudo to keep the vars, the security problem would still exist.

To avoid the problem you should think of a way to 'set the vars'.  That is:
set the vars to their appropriate value based on a secure 'database' of
valid values.

-- 
Michael Potter

On 11/15/06, Jan Albrecht <jan.albrecht at gmail.com> wrote:
>
> Hi,
>
> we came here to the same solution.
> Resourcing the enviroment is the only way to keep the vars. But if we
> know this, an attacker knows the same.
> But ultimate security won't ever be achieved.
>
> Thanks
> Jan
>
> Huibert.Kivits at mail.ing.nl wrote:
> > Hi,
> >
> > Someone over here came with an elegant solution. Commands or scripts
> that are susceptible to this behaviour are to be run through a wrapper
> script. In our case, /usr/bin/doit.
> > People who need to run a specific sudo, are required to run it like
> this:
> > sudo /usr/bin/doit <original command>
> > Instead of just:
> > sudo <original command>
> >
> > The code of the doit script is simply as follows:
> >
> > #!/bin/ksh
> >
> > # @(#)  doit 1.1 3/9/05
> >
> > export SHELL=/usr/bin/login
> > $*
> >
> > Obviously, you will need to define your sudo authorizations in such a
> way that employees are forced to use the wrapper script. At our company, we
> exclusively authorize sudo via LDAP, so the attribute would be like this:
> > sudoCommand: /usr/bin/doit <original command>
> >
> > Give it a try. It works.
> >
> > Obviously, using the noexec option on Solaris and some other UNIX
> flavors might also be helpful. The noexec option does not work on AIX, but
> "doit" has proven to be a very effective alternative.
> >
> > Met vriendelijke groeten / With kind regards / Mit freundlichen Grüßen /
> Med vänliga hälsningar / nuosirdziausi linkejimai,
> >
> >
> > Huibert Kivits
> > MSO UNIX / Consultant Information Security
> > OPS&ITB/DCO/G&BS/S&C/Team 2
> > Locatiecode NA 06.86
> > T (020) 563 73 33, F (020) 563 79 13
> > E Huibert.Kivits at mail.ing.nl
> > E Algemene mailbox: "ITC MSO UNIX"
> > IRM-a:  NL DCO S&C MIDRANGE  |  ASIM/Infoman: AGISCOS
> > "...all too often, when organizations develop information security
> programs, they treat security issues as a simple 'check-box' on the list of
> required corporate functions."
> > Richard Forno & Kenneth R van Wyk, "Incident Response", O'Reilly, 2001,
> ISBN: 0-596-00130-4
> >
> >
> >
> > -----Oorspronkelijk bericht-----
> > Van: sudo-users-bounces at courtesan.com [mailto:
> sudo-users-bounces at courtesan.com] Namens Schernau, Ed
> > Verzonden: donderdag 2 november 2006 18:56
> > Aan: Russell Van Tassell; Todd C. Miller
> > CC: sudo-users at courtesan.com
> > Onderwerp: Re: [sudo-users] Keep LD_LIBRAY_PATH
> >
> >
> > Until someone breaks out of your shell script and ends up at a root
> prompt.
> >
> > -----Original Message-----
> > From: sudo-users-bounces at courtesan.com [mailto:
> sudo-users-bounces at courtesan.com] On Behalf Of Russell Van Tassell
> > Sent: Thursday, November 02, 2006 12:39 PM
> > To: Todd C. Miller
> > Cc: sudo-users at courtesan.com
> > Subject: Re: [sudo-users] Keep LD_LIBRAY_PATH
> >
> > On Thu, Nov 02, 2006 at 09:46:01AM -0500, Todd C. Miller wrote:
> >
> >> In message <4549F682.4080200 at gmail.com>
> >>      so spake Jan Albrecht (jan.albrecht):
> >>
> >>
> >>> I think crle is no option as I have to use on a system eviroment
> >>>
> > where
> >
> >>> HP-UX, AIX, Linux and Solaris are running. So there must be a system
> >>> wide solution.
> >>>
> >>> Is there no native way by sudo?
> >>>
> >> The problem is that most dynamic linkers remove LD_LIBRAY_PATH when
> >> running a setuid program (like sudo) so by the time sudo runs it is
> >> not even in the environment.
> >>
> >> If you cannot change the global list of allowed shared library
> >> locations you can always make a script that just sets the variable
> >> appropriately and then executes the program that needs it.
> >>
> >>  - todd
> >>
> >
> > *nod*  I mentioned this a day or two ago... realistically, if you're
> using sudo chances are you really don't want to simply blindly pass through
> something like LD_LIBRARY_PATH -- the possible nastiness there is, well...
> probably outside of this discussion.
> >
> > It's really best to just write a simple wrapper script and name it
> something conscipicuous with regards to the actual executeable:
> >
> > -- begin
> > #!/sbin/sh
> >
> > LD_LIBRARY_PATH=/path/to/my/lib
> > export LD_LIBRARY_PATH
> > /path/to/my/bin
> > -- end
> >
> >
> >
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list