[sudo-users] Cmnd_Alias mystery

Seul, Jeffrey JeffreySeul at officemax.com
Thu Jul 17 10:06:52 EDT 2008 

Interesting, doesn't seem to work on my FC 9 workstation with Sudo 1.6.9p4 - 

i08122u at paranoia ~]$ sudo -l
User i08122u may run the following commands on this host:
    (ALL) NOPASSWD: ALL
    (ALL) NOEXEC: NOPASSWD: /bin
    (ALL) NOEXEC: NOPASSWD: /usr/bin
[i08122u at paranoia ~]$ sudo vi /etc/shadow

<was viewing a file then typed in 
:! /bin/sh

<voila, here's my shell>

sh-3.2# exit
exit

Press ENTER or type command to continue
[i08122u at paranoia ~]$ sudo -V
Sudo version 1.6.9p4

I'll try again with the 1.7 rc

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Burns, Richard
Sent: Thursday, July 17, 2008 8:22 AM
To: Matt Marchione; sudo-users at sudo.ws
Subject: Re: [sudo-users] Cmnd_Alias mystery

Try you rule as such; 

user_x 	ALL=(ALL) NOPASSWD (ALL), NOEXEC: /usr/bin

Then you cannot even exit "vi" into the shell, as the NOEXEC flag
prevents it. We've tested this at version 1.6.8p12.

Richard Burns
Mid Range Systems: Senior Technical Engineer
416-348-4067

-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
Battersby-Cornmell,Robin Alasdair
Sent: 2008, July, 17 4:31 AM
To: Matt Marchione; sudo-users at sudo.ws
Subject: Re: [sudo-users] Cmnd_Alias mystery


I would think that it is interpreted as a two step process. 

What you would find is that as the command alias for SH=/usr/bin/*sh is
expanded, it finds no files to match and therefore evaluates to SH=
<NULL>, hence the directive is that user_x can run anything except.
Yes, deliberately truncated that sentence.

In you format without the alias, I'm assuming that the directive
actually reads the command string and tries to match the !/usr/bin/*sh
directly.



I hope that this helps.




Robin Battersby-Cornmell
Unisys, Liverpool


-----Original Message-----
From: Matt Marchione [mailto:mmarchio at coat.com] 
Sent: Tuesday, July 15, 2008 10:32 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] Cmnd_Alias mystery


I've been trying to solve an unusual problem with a Cmnd alias that
we've been having and I've figured out what was causing it, but don't
understand why.

Given:
Cmnd_Alias	SH=/usr/bin/*sh

user_x		ALL=(ALL) NOPASSWD:ALL,!SH

To allow "user_x" to run any command except commands in /usr/bin that
end with 'sh'. However this result occurs when executing:

 > sudo /bin/ls
Sorry, user user_x is not allowed to execute '/bin/ls' as root on host.
 >


However, if the sudoers is setup as follows the command works:

user_x		ALL=(ALL) NOPASSWD:ALL,!/usr/bin/*sh



The culprit in this case turned out to be /usr/bin/sh was not present;
link, binary or otherwise. Once /usr/bin/sh was put in place, the alias
form worked correctly. I would have thought that sudo wouldn't care if
it exists or not with the wild card alias. Can anyone shed some light on
this?

The platform this was occurring on is SuSE-SLES 10. The sudo version is
1.6.9p13 and compiled from source, not a pre-built RPM. Any help would
be appreciated.

Thanks,
MattM




***********************************

This email is sent in confidence for the addressee only.

Unauthorised recipients must preserve this confidentiality and should
please advise the sender immediately by returning the original email to
us without reading it, taking a copy or disclosing it to anyone else.
Please also destroy and delete the email from your computer.

We have taken reasonable precautions to ensure that no viruses are
transmitted to any third party. Unisys Insurance Services Limited does
not accept any responsibility for any loss or damage resulting directly
or indirectly from the use of this email or its contents.

Unisys Insurance Services Limited is authorised and regulated by the
Financial Services Authority, is a member of the UNISYS group of
companies and provides outsourcing services to the Financial Services
Industry

Unisys Insurance Services Limited Registered in England No. 4087012
Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations.
Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.  

Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent.
Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite.
Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen.

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list