[sudo-users] Sudo in Linux
Steve T
stevetucknott at yahoo.co.uk
Fri Nov 28 13:09:42 EST 2008
In the man sudoers, there's this:
PREVENTING SHELL ESCAPES
Once sudo executes a program, that program is free to do whatever
it pleases, including run
other programs. This can be a security issue since it is not
uncommon for a program to
allow shell escapes, which lets a user bypass sudo's
restrictions. Common programs that
permit shell escapes include shells (obviously), editors,
paginators, mail and terminal pro-
grams.
Many systems that support shared libraries have the ability to
override default library
functions by pointing an environment variable (usually
LD_PRELOAD) to an alternate shared
library. On such systems, sudo's noexec functionality can be
used to prevent a program run
by sudo from executing any other programs. Note, however, that
this applies only to native
dynamically-linked executables. Statically-linked executables
and foreign executables run-
ning under binary emulation are not affected.
To tell whether or not sudo supports noexec, you can run the
following as root:
sudo -V | grep "dummy exec"
If the resulting output contains a line that begins with:
File containing dummy exec functions:
then sudo may be able to replace the exec family of functions in
the standard library with
its own that simply return an error. Unfortunately, there is no
foolproof way to know
whether or not noexec will work at compile-time. Noexec should
work on SunOS, Solaris,
*BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It is
known not to work on AIX and
UnixWare. Noexec is expected to work on most operating systems
that support the LD_PRELOAD
environment variable. Check your operating system's manual pages
for the dynamic linker
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
LD_PRELOAD is supported.
To enable noexec for a command, use the NOEXEC tag as documented
in the User Specification
section above. Here is that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
Does that help?
On Fri, 2008-11-28 at 15:51 -0200, Valdemir Santos wrote:
> How could I prevent linux users escape to the shell
> using vi ?
> I made this:
> Cmnd_Alias PRODCMD = !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi
> but I need set any editor to the users !
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list