[sudo-users] SUDO & noexec

Tim Bradshaw tfb at tfeb.org
Wed Feb 19 03:56:54 MST 2014


On 18 Feb 2014, at 17:10, PASHIARDIS Charalambos <Charalambos.PASHIARDIS at swift.com> wrote:

> Am sure that this is not the first time to be asked this question but I
> wanted to make sure that I get as good of an answer as possible. The
> question I have relates to the "noexec" keyword. Mandating "noexec" to be on
> enhances security, but breaks applications that have legitimate reason to
> run (exec) other things. Is there a good way to have sudo just block
> interactive shell and allow other types of execs to go through?
> 

I spent a fairly long time looking at this, although it was a long time ago.  I am reasonably convinced that the answer is that no, this isn't possible.  The reason for this is essentially that in order to do that the system would need to know every possible path that might be an interactive shell, and it can't know that, because there are an unbounded number of such paths.  The other direction – having a known list of things for which exec* was allowed – would be less intractable.


More information about the sudo-users mailing list