[sudo-users] Question on noexec vs pagers & shell escapes

Michael W. Lucas mwlucas at michaelwlucas.com
Mon Aug 12 19:21:16 MDT 2013


The sudoers man page gives an example of using noexec to prevent shell

Cmnd_Alias      PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Defaults!PAGERS noexec
mwlucas  ALL = ALL

This appears to suffer from the same problem as excluding commands
from a permitted list, namely:

$ cp /usr/bin/more /tmp/
$ /tmp/more whatever
!passwd root

Am I missing something in how noexec works? Or is the only safe way to
really restrict shell escapes is to, say, make noexec the default and
whitelist commands that can run additional commands, something like:

Defaults!ALL    noexec
Cmnd_Alias   MAYEXEC = /usr/bin/newaliases,/usr/local/sbin/visudo

Am I missing something? Are there any other suggestions?


Michael W. Lucas  -  mwlucas at michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.

More information about the sudo-users mailing list