[sudo-users] [Slightly offtopic?] Finding executables that can spawn shells

[Tim Bradshaw]

We have the problem that people are putting things like 'less' in sudoers files, which is obviously very toxic.

The right answer to this is to use NOEXEC pervasively, but given the number of commands we have (thousands) there are going to be a good few things which do call exec but only to spawn bits of themselves.  Given time and the willingness to break stuff temporarily NOEXEC is still the right answer I think: add it, let stuff break, and add exceptions.  But there is politics.

So in parallel to this I'm interested in being able to grovel over binaries and look for things that can do bad stuff (assuming they are not deliberately obfuscating the badness, in which case all is lost).  My approach to this has been to use nm to find badness, but this is fairly hairy: you need to know things like 'popen is bad even though there is no direct call to an exec* function' and also in some cases to trace through shared libraries: for instance if you look at the perl binary it calls basically nothing, but it links with libperl which does all its dirty work for it.

So the question is: does anyone have (pointers to) any set of tools which could semi-automate this process?  Platforms of most interest are Linux and Solaris, but unfortunately everything else as well (big old organisation).

Thanks, and sorry if this is too offtopic.

--tim