[sudo-users] SUDO & noexec

PASHIARDIS Charalambos Charalambos.PASHIARDIS at swift.com
Wed Feb 19 11:58:34 MST 2014

Hi Todd,

Thanks so much for your reply. This makes a lot of sense and it would
greatly improve the SUDO's security. And it goes without saying that users,
sudo administrators, will have to do some extra configuration for this. What
am not sure about though, is if during this callback the sudoers file should
contain a black or white list of commands...!

Best regards,

Haris Pashiardis

-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] 
Sent: Wednesday, February 19, 2014 8:39 AM
To: PASHIARDIS Charalambos
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] SUDO & noexec

On Tue, 18 Feb 2014 17:10:58 +0000, PASHIARDIS Charalambos wrote:

> Am sure that this is not the first time to be asked this question but 
> I wanted to make sure that I get as good of an answer as possible. The 
> question I have relates to the "noexec" keyword. Mandating "noexec" to 
> be on enhances security, but breaks applications that have legitimate 
> reason to run (exec) other things. Is there a good way to have sudo 
> just block interactive shell and allow other types of execs to go through?

There is not currently a way to do this.  Basically, in order to do this the
dummy exec function would need to do a callback to a running sudo process
and check the sudoers file for each command the shell (or other program)
tries to run.  This is possible, and I do have some proof of concept code,
so it may appear in a future version of sudo.  It does, however, mean that
you would need to explicitly permit commands run by the progam in the
sudoers file.

 - todd

More information about the sudo-users mailing list