[sudo-users] Sudo with PEP (Privilege Extension Prevention)

Christopher Racky christopher.racky at web.de
Thu Nov 21 13:28:21 MST 2013

Hello List,

We are using sudo with LDAP for quite a long time.

Currently sudo has no privilege extension prevention, that means, sudo
does not include any protection for permission extension.

One example:
If I have the permission to edit a binary like a script as a "normal user"
   e.g. vi /usr/local/sbin/makesomething.sh
sudo has no protection that prevents me running this command in another
user context, if the ruleset allows.
   e.g.  sudo /usr/local/sbin/makesomething.sh

So from my point of view, sudo should prevent me from executing a
command in an other user context if I'm able to write to the executed
Of couse the executed file could join/merge or fork other processes,
but this is -from my opinon- a very basic security functionality which
should prevent some basic mistakes.

Is there any special reason for not having such functionality?
Or is this functionality already available?

Dear list, users and technical architects, what is your opinion about

Best regards

More information about the sudo-users mailing list