[sudo-users] sudo remove -s and -i option

Shawn McMahon syberghost at gmail.com
Wed Aug 23 08:52:19 MDT 2017


It's worse than that. They can do this:

sudo cp -p /bin/bash foo
sudo ./foo -i

You cannot stop shells with blacklisting; not even with NOEXEC. Only
whitelisting has a prayer of stopping shells. Where blacklisting is used,
it's generally considered to be a reminder that folks shouldn't do that,
not a barrier.

You're just creating speed bumps that will engender a lack of respect for
Security and Compliance in your users because you don't want to tackle a
difficult political problem. You can't solve political problems with
technical solutions; especially bad technical solutions.

BTW, NOEXEC is great for restricting the capabilities of whitelisted
programs. Using it with "ALL" and a blacklist will result in it breaking
things, because that's NOEXEC's job; to break things. But it'll include
things you don't want broken.

But do what you want, man; I'm not your mom. Just hope I'm never your
auditor.


On Wed, Aug 23, 2017 at 9:37 AM, Paul Cantle <paul at cantle.me> wrote:

> Hi,
>
> Plenty unless you specify NOEXEC in sudoers – vi, vim, less, awk and
> probably others.
>
> Examples:
>
> sudo awk 'BEGIN {system("/bin/sh")}' – will give a root shell
> sudo vim <esc> :sh – will give a root shell
>
> if people need to be able to edit files as root sudoedit or sudo –e is a
> safer option.
>
> I cannot stress enough that this isn’t the way to go – Really, you should
> just limit the commands that people need to execute as root and not mess
> with the sudo program itself.
>
> Just my 2c
>
> Rgds
> Paul
>
>
>
> On 23/08/2017, 15:32, "sudo-users on behalf of Goodman Leung" <
> sudo-users-bounces at sudo.ws on behalf of gbcbooksmj at gmail.com> wrote:
>
>     here is the output when my user execute sudo /bin/bash
>
>     user1 at kickseed:~$ sudo /bin/bash
>     Traceback (most recent call last):
>        File "<string>", line 92, in <module>
>        File "<string>", line 33, in check_element
>     IndexError: list index out of range
>
>     i thing they get the same result when they use /bin/sh instead .
>
>     do you know any aother command can get a root shell ?
>
>     在 2017/8/23 16:38, Maarten de Vries 写道:
>     >
>     >
>     > On 23 Aug 2017 4:15 a.m., "Goodman Leung" <gbcbooksmj at gmail.com
>     > <mailto:gbcbooksmj at gmail.com>> wrote:
>     >
>     >     well ,  before i m doing this, i have another solutions , i write
>     >     a security binary to replace /usr/bin/sudo ,
>     >
>     >     you are not able to execute sudo -s , sudo -i , sudo su , and
> even
>     >     sudo /bin/bash.
>     >
>     >
>     >     would you guys wanna try ?
>     >
>     >     i just think it is not perfect enough.
>     >
>     >
>     > I think it is a really bad idea. If jou want to prevent users
>     > executing arbitrary commands jou MUST whitelist exactly the commands
>     > that they should be able to use.
>     >
>     > Blocking only shells is almost completely pointless because users can
>     > still execute *every* other command from their own shell prefixed
> with
>     > sudo. The only thing you would win is that every sudo invocation is
>     > logged. But if they want they can destroy all logs on the local
> system.
>     >
>     > Also, shells and editors are far from the only tools that allow you
> to
>     > bypass sudo logging. Every script interpreter (python/ruby/perl/etc)
>     > can do the same. And then there are many more interactive tools that
>     > allow users to run arbitrary commands.
>     >
>     > And if you did blacklist *everything* (which is impossible), then
>     > users can just copy a blacklisted binary to their home folder with a
>     > different name so it is not blacklisted anymore.
>     >
>     > In short: if you want to allow users to run arbitrary commands as
>     > root, but not shells, you're pretty much out of luck. If you want to
>     > allow them to do some specific things as root, whitelist exactly
>     > those. Either way, writing your own sudo is not the solution.
>     >
>     > -- Maarten
>
>     ____________________________________________________________
>     sudo-users mailing list <sudo-users at sudo.ws>
>     For list information, options, or to unsubscribe, visit:
>     https://www.sudo.ws/mailman/listinfo/sudo-users
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
>


More information about the sudo-users mailing list