[sudo-users] Using an environment variable in sudoers?

Shawn McMahon syberghost at gmail.com
Tue Oct 18 09:13:01 MDT 2016


On Tue, Oct 18, 2016 at 9:14 AM, leam hall <leamhall at gmail.com> wrote:

> On Tue, Oct 18, 2016 at 9:57 AM, Shawn McMahon <syberghost at gmail.com>
> wrote:
>
> > On Tue, Oct 18, 2016 at 8:48 AM, leam hall <leamhall at gmail.com> wrote:
> >
> > > Working through the things I've been asked to do. Most of them seem
> okay
> > so
> > > far, but still stuck on using an environment variable in a sudoers
> file.
> > >
> > > What I'm looking for is to be able to put "$LEAM_PATH/my_command.sh" in
> > > suders. I've tried to add the following to /etc/sudoers.d/my_commands
> but
> > > get a syntax error.
> > >
> > >  Defaults env_keep += "LEAM_PATH"
> > >  leam                       ALL = $LEAM_PATH/my_command.sh
> > >
> >
> > A completely equivalent rule would be:
> >
> > leam       ALL = ALL
> >
> >
> Hey Shawn,
>
> Are you saying that because of the ability to reset the environment
> variable? I don't disagree, but wasn't sure if there's another option.


Yes. There's nothing stopping a user faced with that rule (if it worked)
from doing the following:

mkdir /tmp/foo/
echo "/bin/bash" >>/tmp/foo/my_command.sh
chmod +x /tmp/foo/my_command.sh
export LEAM_PATH=/tmp/foo
sudo /tmp/foo/my_command.sh
rm /tmp/foo/my_command.sh

or even easier:

ln -s /bin/bash /tmp/my_command.sh
export LEAM_PATH=/tmp

They could put anything in there, and remove (or change) it afterwards, and
do it over and over again. All you'd have in your logs is the invocation of
the script, not what's in it.

If you give a user the ability to use sudo to run something he can edit,
you have given him ALL.


More information about the sudo-users mailing list