[sudo-users] SUDO & noexec

Todd C. Miller Todd.Miller at courtesan.com
Wed Feb 19 06:39:19 MST 2014


On Tue, 18 Feb 2014 17:10:58 +0000, PASHIARDIS Charalambos wrote:

> Am sure that this is not the first time to be asked this question but I
> wanted to make sure that I get as good of an answer as possible. The
> question I have relates to the "noexec" keyword. Mandating "noexec" to be on
> enhances security, but breaks applications that have legitimate reason to
> run (exec) other things. Is there a good way to have sudo just block
> interactive shell and allow other types of execs to go through?

There is not currently a way to do this.  Basically, in order to
do this the dummy exec function would need to do a callback to a
running sudo process and check the sudoers file for each command
the shell (or other program) tries to run.  This is possible, and
I do have some proof of concept code, so it may appear in a future
version of sudo.  It does, however, mean that you would need to
explicitly permit commands run by the progam in the sudoers file.

 - todd


More information about the sudo-users mailing list