[sudo-users] Question on noexec vs pagers & shell escapes
Michael W. Lucas
mwlucas at michaelwlucas.com
Mon Aug 12 19:21:16 MDT 2013
Hi,
The sudoers man page gives an example of using noexec to prevent shell
escapes.
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Defaults!PAGERS noexec
mwlucas ALL = ALL
This appears to suffer from the same problem as excluding commands
from a permitted list, namely:
$ cp /usr/bin/more /tmp/
$ /tmp/more whatever
!passwd root
Am I missing something in how noexec works? Or is the only safe way to
really restrict shell escapes is to, say, make noexec the default and
whitelist commands that can run additional commands, something like:
Defaults!ALL noexec
Cmnd_Alias MAYEXEC = /usr/bin/newaliases,/usr/local/sbin/visudo
mwlucas ALL = ALL, EXEC: MAYEXEC
Am I missing something? Are there any other suggestions?
==ml
--
Michael W. Lucas - mwlucas at michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
More information about the sudo-users
mailing list