[sudo-users] How to prevent editing sudoers-file

Michael Potter pottmi at gmail.com
Mon Nov 27 17:58:43 EST 2006


In defense of the authors of sudo, and for the benefit of those who are new
to sudo who maybe reading this thread:
Tracing softlinks would not make significantly increase the security of this
situation.  No situation comes to mind where it would, but I suspect there
is some situation.

By "this situation", I mean giving an untrusted user full root access, but
backing off some commands that are considered dangerous.

I welcome someone to dispute my statement, but ask that that person post a
sample of the sudoers file that they consider to be secure assuming softlink
tracing worked, but insecure because it does not.

I would love to be proven wrong because that means I would learn something
about sudo.
-- 
Michael Potter

On 11/27/06, Claude Hohl <longneck at bluewin.ch> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > OK, thank you guys for the tips. I solved the problem about the
> > writable sudoers file this way:
> > Sudoers is located on a dedicated server; and it's exported via NFS
> > as a read-only filesystem. therefore, even as root you can not
> > write on it!
> >
> > it's a pity that the developers don't implement the tracing of
> > softlinks. not everybody wants to setup a dedicated server just for
> > sudo...
> >
> >
> > Am 27.11.2006 um 4:01 schrieb Stephen Carville:
> >
> >> Stanley, Jon wrote:
> >>> What if the "bad user" disables said cronjob?  IMHO, it should
> >>> checkin occasionally to say it ran, and an exception should be
> >>> generated if it does not run. The exact mechanism is still
> >>> unclear to me - it needs to be something that involves both the
> >>> server and the client, since if it's client-only, the malicious
> >>> user could write a script to emulate the behavior of the real
> >>> one, sans the actual checking.
> >>
> >> The cron job runs on the secured station not the target box and there
> >> are some other safeguards on that box since it also a central
> >> password
> >> repository.
> >>
> >> The script also sends status to Big Brother and Big Brother look for
> >> visudo in bb-proctab but that's really trivial to spoof.  Sure this
> >> could be bypassed.  Any! security can be bypassed.  I'm just
> >> suggesting
> >> an additional and relatively easy to implement layer.
> >>
> >>>
> >>> ----- Original Message -----
> >>> From: sudo-users-bounces at courtesan.com <sudo-users-
> >>> bounces at courtesan.com>
> >>> To: sudo-users at sudo.ws <sudo-users at sudo.ws>
> >>> Sent: Sun Nov 26 18:47:22 2006
> >>> Subject: Re: [sudo-users] How to prevent editing sudoers-file
> >>>
> >>> Michael Potter wrote:
> >>>> Claude,
> >>>>
> >>>> This question comes up in many forms many times.
> >>>>
> >>>> This comes down to that you are trying to enumerate all the bad
> >>>> things that
> >>>> a user could do and put in a rule to avoid them.  That strategy
> >>>> does not
> >>>> work.  There are many other ways that your user could do malious
> >>>> things (and
> >>>> not be logged).
> >>>
> >>> One thing I do is to edit my sudoers file on a workstations that
> >>> only
> >>> "sudo admins" have access to.  When the edits are done, a script
> >>> is run
> >>>   to push the modified sudoers file to all the machines that use it.
> >>> This script also writes out a file with the new sudoers file
> >>> md5sum in
> >>> it.  A cron job run regularly that checks the md5sum for suders
> >>> on all
> >>> of the machine and it if there is difference, notifies the sudo
> >>> admins.
> >>>
> >>
> >>
> >> --
> >> Stephen Carville <stephen at totalflood.com>
> >> Unix and Network Admin
> >> Nationwide Totalflood
> >> 6033 W. Century Blvd
> >> Los Angeles, CA 90045
> >> 310-342-3602
> >> ____________________________________________________________
> >> sudo-users mailing list <sudo-users at sudo.ws>
> >> For list information, options, or to unsubscribe, visit:
> >> http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.3 (Darwin)
> >
> > iD8DBQFFa1jukPADilYGTHwRAs06AJwMsn+/kdfhgUcq54p0qfn0c1Q4qACfeyCM
> > Yx2AeNLDqUnl/JzHFqJ3cKQ=
> > =epwd
> > -----END PGP SIGNATURE-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
>
> iD8DBQFFa1lxkPADilYGTHwRArruAJ4wx2WuMSit5RuMJtusNJdsEhM55QCeNWcQ
> XOAJoEyLdavUHK4mYrogzkw=
> =3S+0
> -----END PGP SIGNATURE-----
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>



More information about the sudo-users mailing list