[sudo-users] Re :sudo-users Digest, Vol 47, Issue 9

Fri Nov 17 04:21:49 EST 2006

Dear friends,How to configure sudo in AIX4.3. please guide me step by step.ThanksGnanavelSekharsudo-users at courtesan.com wroteSend sudo-users mailing list submissions tosudo-users at sudo.wsTo subscribe or unsubscribe via the World Wide Web, visithttp://www.sudo.ws/mailman/listinfo/sudo-usersor, via email, send a message with subject or body \'help\' tosudo-users-request at sudo.wsYou can reach the person managing the list atsudo-users-owner at sudo.wsWhen replying, please edit your Subject line so it is more specificthan \"Re: Contents of sudo-users digest...\"Today\'s Topics:1. Re: Keep LD_LIBRAY_PATH (Jan Albrecht)2. Re: Keep LD_LIBRAY_PATH (Michael Potter)----------------------------------------------------------------------Message: 1Date: Wed, 15 Nov 2006 13:52:25 +0100From: Jan Albrecht Subject: Re: [sudo-users] Keep LD_LIBRAY_PATHTo: sudo-users at courtesan.comMessage-ID: Content-Type: text/plain; charset=ISO-8859-1Hi,we came here to the same solution.Resourcing the enviroment is the only way to keep the vars. But if weknow this, an attacker knows the same.But ultimate security won\'t ever be achieved.ThanksJanHuibert.Kivits at mail.ing.nl wrote:> Hi,>> Someone over here came with an elegant solution. Commands or scripts that are susceptible to this behaviour are to be run through a wrapper script. In our case, /usr/bin/doit.> People who need to run a specific sudo, are required to run it like this:> sudo /usr/bin/doit > Instead of just:> sudo >> The code of the doit script is simply as follows:>> #!/bin/ksh> > # @(#) doit 1.1 3/9/05 > > export SHELL=/usr/bin/login> $*>> Obviously, you will need to define your sudo authorizations in such a way that employees are forced to use the wrapper script. At our company, we exclusively authorize sudo via LDAP, so the attribute would be like this:> sudoCommand: /usr/bin/doit >> Give it a try. It works.>> Obviously, using the noexec option on Solaris and some other UNIX flavors might also be helpful. The noexec opt
ion does not work on AIX, but \"doit\" has proven to be a very effective alternative.>> Met vriendelijke groeten / With kind regards / Mit freundlichen Gr??en / Med v?nliga h?lsningar / nuosirdziausi linkejimai,>>> Huibert Kivits> MSO UNIX / Consultant Information Security> OPS&ITB/DCO/G&BS/S&C/Team 2> Locatiecode NA 06.86> T (020) 563 73 33, F (020) 563 79 13> E Huibert.Kivits at mail.ing.nl> E Algemene mailbox: \"ITC MSO UNIX\"> IRM-a: NL DCO S&C MIDRANGE | ASIM/Infoman: AGISCOS> \"...all too often, when organizations develop information security programs, they treat security issues as a simple \'check-box\' on the list of required corporate functions.\"> Richard Forno & Kenneth R van Wyk, \"Incident Response\", O\'Reilly, 2001, ISBN: 0-596-00130-4>>>> -----Oorspronkelijk bericht-----> Van: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] Namens Schernau, Ed> Verzonden: donderdag 2 november 2006 18:56> Aan: Russell Van Tassell; Todd C. Miller> CC: sudo-users at courtesan.com> Onderwerp: Re: [sudo-users] Keep LD_LIBRAY_PATH>>> Until someone breaks out of your shell script and ends up at a root prompt. >> -----Original Message-----> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Russell Van Tassell> Sent: Thursday, November 02, 2006 12:39 PM> To: Todd C. Miller> Cc: sudo-users at courtesan.com> Subject: Re: [sudo-users] Keep LD_LIBRAY_PATH>> On Thu, Nov 02, 2006 at 09:46:01AM -0500, Todd C. Miller wrote:> >> In message >> so spake Jan Albrecht (jan.albrecht):>>>> >>> I think crle is no option as I have to use on a system eviroment>>> > where> >>> HP-UX, AIX, Linux and Solaris are running. So there must be a system >>> wide solution.>>>>>> Is there no native way by sudo?>>> >> The problem is that most dynamic linkers remove LD_
LIBRAY_PATH when >> running a setuid program (like sudo) so by the time sudo runs it is >> not even in the environment.>>>> If you cannot change the global list of allowed shared library >> locations you can always make a script that just sets the variable >> appropriately and then executes the program that needs it.>>>> - todd>> >> *nod* I mentioned this a day or two ago... realistically, if you\'re using sudo chances are you really don\'t want to simply blindly pass through something like LD_LIBRARY_PATH -- the possible nastiness there is, well... probably outside of this discussion.>> It\'s really best to just write a simple wrapper script and name it something conscipicuous with regards to the actual executeable:>> -- begin> #!/sbin/sh>> LD_LIBRARY_PATH=/path/to/my/lib> export LD_LIBRARY_PATH> /path/to/my/bin> -- end>>> ------------------------------Message: 2Date: Wed, 15 Nov 2006 09:55:57 -0600From: \"Michael Potter\" Subject: Re: [sudo-users] Keep LD_LIBRAY_PATHTo: \"Jan Albrecht\" Cc: sudo-users at courtesan.comMessage-ID:Content-Type: text/plain; charset=ISO-8859-1; format=flowedThe security problem is that you want to \'keep the vars\'. Whether you keepthe variables by re-sourcing the environment or Todd were to add a switch tosudo to keep the vars, the security problem would still exist.To avoid the problem you should think of a way to \'set the vars\'. That is:set the vars to their appropriate value based on a secure \'database\' ofvalid values.-- Michael PotterOn 11/15/06, Jan Albrecht wrote:>> Hi,>> we came here to the same solution.> Resourcing the enviroment is the only way to keep the vars. But if we> know this, an attacker knows the same.> But ultimate security won\'t ever be achieved.>> Thanks> Jan>> Huibert.Kivits at mail.ing.nl wrote:> > Hi,> >> > Someone over here came with an elegant solution. Commands or scripts> that are susceptible to this
 behaviour are to be run through a wrapper> script. In our case, /usr/bin/doit.> > People who need to run a specific sudo, are required to run it like> this:> > sudo /usr/bin/doit > > Instead of just:> > sudo > >> > The code of the doit script is simply as follows:> >> > #!/bin/ksh> >> > # @(#) doit 1.1 3/9/05> >> > export SHELL=/usr/bin/login> > $*> >> > Obviously, you will need to define your sudo authorizations in such a> way that employees are forced to use the wrapper script. At our company, we> exclusively authorize sudo via LDAP, so the attribute would be like this:> > sudoCommand: /usr/bin/doit > >> > Give it a try. It works.> >> > Obviously, using the noexec option on Solaris and some other UNIX> flavors might also be helpful. The noexec option does not work on AIX, but> \"doit\" has proven to be a very effective alternative.> >> > Met vriendelijke groeten / With kind regards / Mit freundlichen Gr??en /> Med v?nliga h?lsningar / nuosirdziausi linkejimai,> >> >> > Huibert Kivits> > MSO UNIX / Consultant Information Security> > OPS&ITB/DCO/G&BS/S&C/Team 2> > Locatiecode NA 06.86> > T (020) 563 73 33, F (020) 563 79 13> > E Huibert.Kivits at mail.ing.nl> > E Algemene mailbox: \"ITC MSO UNIX\"> > IRM-a: NL DCO S&C MIDRANGE | ASIM/Infoman: AGISCOS> > \"...all too often, when organizations develop information security> programs, they treat security issues as a simple \'check-box\' on the list of> required corporate functions.\"> > Richard Forno & Kenneth R van Wyk, \"Incident Response\", O\'Reilly, 2001,> ISBN: 0-596-00130-4> >> >> >> > -----Oorspronkelijk bericht-----> > Van: sudo-users-bounces at courtesan.com [mailto:> sudo-users-bounces at courtesan.com] Namens Schernau, Ed> > Verzonden: donderdag 2 november 2006 18:56> &gt
; Aan: Russell Van Tassell; Todd C. Miller> > CC: sudo-users at courtesan.com> > Onderwerp: Re: [sudo-users] Keep LD_LIBRAY_PATH> >> >> > Until someone breaks out of your shell script and ends up at a root> prompt.> >> > -----Original Message-----> > From: sudo-users-bounces at courtesan.com [mailto:> sudo-users-bounces at courtesan.com] On Behalf Of Russell Van Tassell> > Sent: Thursday, November 02, 2006 12:39 PM> > To: Todd C. Miller> > Cc: sudo-users at courtesan.com> > Subject: Re: [sudo-users] Keep LD_LIBRAY_PATH> >> > On Thu, Nov 02, 2006 at 09:46:01AM -0500, Todd C. Miller wrote:> >> >> In message > >> so spake Jan Albrecht (jan.albrecht):> >>> >>> >>> I think crle is no option as I have to use on a system eviroment> >>>> > where> >> >>> HP-UX, AIX, Linux and Solaris are running. So there must be a system> >>> wide solution.> >>>> >>> Is there no native way by sudo?> >>>> >> The problem is that most dynamic linkers remove LD_LIBRAY_PATH when> >> running a setuid program (like sudo) so by the time sudo runs it is> >> not even in the environment.> >>> >> If you cannot change the global list of allowed shared library> >> locations you can always make a script that just sets the variable> >> appropriately and then executes the program that needs it.> >>> >> - todd> >>> >> > *nod* I mentioned this a day or two ago... realistically, if you\'re> using sudo chances are you really don\'t want to simply blindly pass through> something like LD_LIBRARY_PATH -- the possible nastiness there is, well...> probably outside of this discussion.> >> > It\'s really best to just write a simple wrapper script and name it> something conscipicuous with regards to the actual executeable:> &g
t;> > -- begin> > #!/sbin/sh> >> > LD_LIBRARY_PATH=/path/to/my/lib> > export LD_LIBRARY_PATH> > /path/to/my/bin> > -- end> >> >> >>> ____________________________________________________________> sudo-users mailing list > For list information, options, or to unsubscribe, visit:> http://www.sudo.ws/mailman/listinfo/sudo-users>------------------------------____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit:http://www.sudo.ws/mailman/listinfo/sudo-usersEnd of sudo-users Digest, Vol 47, Issue 9*****************************************