[sudo-users] Sudo with directory allows .. to be added. How do I avoid this.
highc at stny.rr.com
highc at stny.rr.com
Sat Nov 20 09:52:45 EST 2010
On 11/19/2010 2:13 PM, Richard van den Berg wrote:
> On 19-11-10 18:52 , Art A wrote:
>> %mygrp ALL=sudoedit /var/opt/perf/*
>> this works
>> sudo -e /var/opt/perf/perfd.ini
>> This also works: (app-defaults is a subdirectory)
>> sudo -e /var/opt/perf/app-defaults/../../../../etc/passwd
>> So my question is how can I allow someone to edit any file in a
directory without putting every file in the sudoers. I have read the
documentation and tried [!.] but it didn't work for me. What I would
settle on is a why to say any pattern without a '..' in it is valid.
> Try this:
> !sudoedit /var/opt/perf/*..*
> I don't know exactly how to sudoedit works with ! negation, but the above works for other commands.
First a caution, you have only noticed one of a few possible exploits
that is created when you specify a wild card on a parameter.
I will not state it is possible to allow wild cards without allowing
some form of exploit. And not all the exploits will exist solely based
on the forms and blockages you code in sudoers. Having so cautioned; if
a team 'insists' they must have wild cards in their parameter list, the
'standard' blocks I code for them is:
!/usr/bin/view *[\:space\:]/* *,!/usr/bin/view *..*, !/usr/bin/view *./*
(replase the fully qualified name with sudoedit or whatever other
-single file as parameter- command you need to allow. The item with
'space' in it is to prevent the following:
sudo -e /var/opt/perf/perfd.ini /any/directory/any/file
The entry with .. is to block the exploit you noticed. The ./ entry is
actually more intended to protect against some exploits which are
possible when some specific coding within the parm is present... and I
don't have my references handy to resurrect exactly what they were, I
have simply mandated the need to code the parm within my 'area of control'.
The other thing you will want to be -very- careful about is the
If allow the person you are granting sudoedit authority to the ability
to create files in that directory, they can create symlinks to any file
on the system, and thereby modify any file on the system.
There may be other pitfalls easy to get trapped in; but these are the
ones I've noticed. The only 100% solution I know of is to require each
parm to be specifically coded; however, the above mitigates the risk to
More information about the sudo-users