[sudo-users] AIX 5.3 and noexec
achillesmf at pop.com.br
achillesmf at pop.com.br
Mon Jul 28 08:18:14 EDT 2008
Hello Todd/ All,
Thanks for the tip. I was adding noexec in
Defaults. Instead I will segregate the commands I want to avoid in the
user specification area.
Sample:
<Filtered
Group> ALL = NOPASSWD: ALL,
<FILTERED_COMMAND_ALIAS>, NOEXEC: /usr/bin/vi
I tested
and the results seem fine, including su (ing) to other accounts.
Since crontab command can be used to exploit shell escape, do you know
how to filter it with noexec? When I add the crontab in the above sample
after vi and I try to execute "crontab -e" It does not work.
However crontab -l works great. I wanted to avoid changing the environment
variable EDITOR. Clues?
Many many thanks in advance.
Achilles
> In message
<10926.160.213.122.247.1216994575.squirrel at popmail.pop.com.br>
> so spake (achillesmf):
>
>> Hello,I'm trying
to use noexec option and I get the
>> following error when
trying to change accounts:$ sudo su -
>> myaccou3004-505
>> Cannot set process environment.I
>> compile
sudo-1.6.9p17 with the option
>>
with-noexec=/dir/sudo_noexec.soThen I a
>> dd noexec in my
>> /etc/sudoers'
Defaults.Has
>> anyone
experienced such error?
>
> It doesn't make sense to use
noexec with su since the whole point
> of su is to run a shell.
What's happening is that sudo runs su,
> but then su is unable to
execute the actual shell due to noexec.
>
> - todd
>
More information about the sudo-users
mailing list