[sudo-users] is command substitution possible using sudo ?
Russell Van Tassell
russell+sudo-users at loosenut.com
Wed Mar 19 16:43:15 EDT 2008
On Fri, Mar 14, 2008 at 02:06:18PM -0700, Mel Burslan wrote:
> I have this dilemma. I am on an hpux system which is configured as trusted.
> The security people has a scanner product which wants to see the contents of
> the user record for root. I am okay with this request if they can not see
> the actual hashed password entry. They want to be able to run this command :
>
> sudo cat /tcb/files/auth/r/root
>
> what I want to do is, when sudo sees this command, I want it to run a
> different command which will jumble the characters of the hashed password,
> so that even if this hashed password falls into the wrong hands, it will
> mean nothing.
>
> I tried to change command 'cat' to an alias to the script but then since it
> is used for other auth files and other configuration files, it becomes a
> burden to keep track of what this aliased script can or can not do. I just
> want to single out this command and replace it with something of my
> creation. Is this possible in the scope of sudo ?
Perhaps try aliasing it to a command that cycles through the arguments
and iteratively calls /usr/bin/cat for files other than the ones you
want scrambled (a simple "foreach" with an "if" statement would likely
do it); and given a file on the "hitlist" it inserts a sed.
Pseudo-coded:
#!/bin/csh
foreach f ( $* )
if ( $f != "/tcb/files/auth/r/root" ) then
/usr/bin/cat $f
else
/usr/bin/cat /etc/passwd | /usr/bin/sed 's/:[^:]*:/:#########:/'
endif
end
--
Russell M. Van Tassell
russell at loosenut.com
"The Internet Oracle has pondered your question deeply. Your question
was: ???? And in response, thus spake the Oracle: ..."
More information about the sudo-users
mailing list