[sudo-users] Sudo in Linux

Steve T stevetucknott at yahoo.co.uk
Fri Nov 28 13:09:42 EST 2008 

In the man sudoers, there's this:
PREVENTING SHELL ESCAPES
       Once sudo executes a program, that program is free to do whatever
it pleases, including run
       other programs.  This can be a security issue since it is not
uncommon for a program to
       allow shell escapes, which lets a user bypass sudo's
restrictions.  Common programs that
       permit shell escapes include shells (obviously), editors,
paginators, mail and terminal pro-
       grams.

       Many systems that support shared libraries have the ability to
override default library
       functions by pointing an environment variable (usually
LD_PRELOAD) to an alternate shared
       library.  On such systems, sudo's noexec functionality can be
used to prevent a program run
       by sudo from executing any other programs.  Note, however, that
this applies only to native
       dynamically-linked executables.  Statically-linked executables
and foreign executables run-
       ning under binary emulation are not affected.

       To tell whether or not sudo supports noexec, you can run the
following as root:

           sudo -V | grep "dummy exec"

       If the resulting output contains a line that begins with:

           File containing dummy exec functions:

       then sudo may be able to replace the exec family of functions in
the standard library with
       its own that simply return an error.  Unfortunately, there is no
foolproof way to know
       whether or not noexec will work at compile-time.  Noexec should
work on SunOS, Solaris,
       *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x.  It is
known not to work on AIX and
       UnixWare.  Noexec is expected to work on most operating systems
that support the LD_PRELOAD
       environment variable.  Check your operating system's manual pages
for the dynamic linker
       (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
LD_PRELOAD is supported.

       To enable noexec for a command, use the NOEXEC tag as documented
in the User Specification
       section above.  Here is that example again:

        aaron  shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

Does that help?

On Fri, 2008-11-28 at 15:51 -0200, Valdemir Santos wrote:

> How could I prevent linux users escape to the shell
> using vi ?
> I made this:
> Cmnd_Alias PRODCMD = !/usr/bin/vi,!/usr/xpg4/bin/vi,!/usr/ucb/vi,!/bin/vi
> but I need set any  editor to the users !
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list