[sudo-users] Sudo with PEP (Privilege Extension Prevention)

Christopher Racky christopher.racky at web.de
Sun Jan 5 05:25:32 MST 2014 

   Hallo Todd,

   Thanks for your feedback and email.
   The SHA-2 digest is a good concept, but in larger setups (as ours) it
   is -to be honest- very unrealistic.
   For example: We use sudo with LDAP backend on a set of very different
   Operating Systems, plattforms and Versions (like solaris 9, 10, 11...,
   AIX, Red Hat..., Debian, ...).
   So it would require that for each plattform and each binary a digest
   would be generated which would generate a very complex sudo ruleset and
   a lot of processes and organizational activites.

   I see the race-condition between time of validation and time of use. On
   the other hand you have something similar between retrieval form LDAP
   and executing on local system...
   So never the less, I'm still convinced, that this "Privilege Extension
   Prevention" concept would be very helpfull also in bigger setups and
   significantly increases the system security from operation point of
   view.
   A lot of administrators are quite lazy, and often they forget to set
   the correct file permissions, so this functionality would force them to
   work more "secure".
   Do you think that this functionality can be added in future releases?

   Best regards
   Chris

   -----Ursprüngliche Nachricht-----
   Von: Todd C. Miller <Todd.Miller at courtesan.com>
   Gesendet: 2013-11-21 23:31:49
   An: Christopher Racky <christopher.racky at web.de>
   Betreff: Re: [sudo-users] Sudo with PEP (Privilege Extension
   Prevention)
   It sounds like your main concern is that sudo might run a program
   or script that is writable by an unprivileged user, is that correct?
   There's currently no way require that commands be writable only by
   root or the user the command is being run as, which sounds like
   what you want.  I think you'd have to disallow group writability
   too, as well as writability of the parent directory.

   Sudo 1.8.7 and higher allow you to specify a SHA-2 digest for a
   command which can prevent a modified program or script from being
   run.  However, if the directory the command is located in is writable
   by unprivileged users, there is a time of check vs. time of use
   race condition.

    - todd
   .

   From: "Christopher Racky"
   To: sudo-users at sudo.ws
   Subject: [sudo-users] Sudo with PEP (Privilege Extension Prevention)
   Hello List,

   We are using sudo with LDAP for quite a long time.

   Currently sudo has no privilege extension prevention, that means, sudo
   does not include any protection for permission extension.

   One example:
   If I have the permission to edit a binary like a script as a "normal us
   er"
      e.g. vi /usr/local/sbin/makesomething.sh
   sudo has no protection that prevents me running this command in another
   user context, if the ruleset allows.
      e.g.  sudo /usr/local/sbin/makesomething.sh

   So from my point of view, sudo should prevent me from executing a
   command in an other user context if I'm able to write to the executed
   file.
   Of couse the executed file could join/merge or fork other processes,
   but this is -from my opinon- a very basic security functionality which
   should prevent some basic mistakes.

   Is there any special reason for not having such functionality?
   Or is this functionality already available?

   Dear list, users and technical architects, what is your opinion about
   that?

   Best regards
   Chris

More information about the sudo-users mailing list