[sudo-users] How to prevent privilege escalation attacks through sudo?
mlh at zip.com.au
Fri Jan 12 05:06:31 EST 2007
On Thu, Jan 11, 2007 at 08:22:47AM +0200, David wrote:
> Question: In a distro where sudo is enabled by default (eg Ubuntu),
> how are privilege escalations via sudo avoided?
> 1) Bob has an Ubuntu box with 2 users bob & root (ignoring the system accounts).
> 2) Bob's user account gets compromised (eg, he views an image that
> exploits a buffer overrun in libpng)
> 3) Sometime later, bob runs 'sudo apt-get update', and enters his password.
> 4) An evil script, installed at (2), now also runs 'sudo
> install_evil_rootkit', and doesn't have to enter a password
> 5) Profit (for the spammers/black hats)
> I know there is a 'tty_tickets' option which prevents the same user
> from logging on from different ttys during the 'ticket' period.
> But what prevents the evil script from using the same tty? one
> possibility is to update ~/.bash_profile so 'sudo' is aliased with
> 'start_evil; sudo'
> I think something like 'pid_tickets' in addition to 'tty_tickets'
> would help here.
> Or is there some other protection in sudo (against attacks like this
> one) which I'm not aware of?
Once someone gets root in traditional unix, that's it; game over.
The only really effective mitigation is to limit root's power with
selinux (linux) or similar schemes in other unixes.
More information about the sudo-users