[sudo-users] Checksum for executed scripts

Michael W. Lucas mwlucas at michaelwlucas.com
Tue Aug 20 10:15:38 MDT 2013 

Once you run a shell script as root, you're basically hosed.

I think that I/O logging would help identify what happened in this
case, but that's only good to figure out what went wrong rather than
preventing access in the first place...


On Tue, Aug 20, 2013 at 02:38:58PM +0000, Holger.vanKoll at swisscom.com wrote:
> like Todd already said you can use sha-2 digests
> however, that's not enough to prevent your dba from gaining root-priviliges
> root.sh calls (among other scripts) f.e. setowner.sh which sources in rootmacro.sh and so on
> all of those scripts are normally writeable by oracle-user, so he could put any command in that would be executed as root
> 
> 
> On Tue, Aug 20, 2013 at 8:20 AM, Oracle.Beratung at t-online.de < oracle.beratung at t-online.de> wrote:
> 
> > Hello,
> >
> > for some reasons I would like to have an MD5 checksum for scripts 
> > executed by sudo to be able to check that scripts executed via sudo 
> > but created by others contain what they have to contain.
> >
> > For example root.sh for Oracle installations.
> >
> > Because those scripts could be used as a backdoor to execute whatever 
> > someone wants as root user to make himself a superuser.
> >
> > A checksum would be a nice feature to make this safer.
> >
> >
> >
> > Mit freundlichem Gru?
> > Gerald R?hrbein
> > OraForecast.com the oh in Oracle
> > Alter F?hrberg 9
> > 24814 Sehestedt
> >
> > Tel.: 0171 68 236 71
> > Privat.: 04357 99583 76
> > Fax: 04357 99583 79
> >
> >
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws> For list information, 
> > options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
> 
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

-- 
Michael W. Lucas  -  mwlucas at michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.

More information about the sudo-users mailing list