[sudo-users] sudo remove -s and -i option

Goodman Leung gbcbooksmj at gmail.com
Wed Aug 23 08:55:08 MDT 2017


here is the result:

user1 at kickseed:~$ sudo awk 'BEGIN {system("/bin/sh")}'
sh: 1: Syntax error: "(" unexpected
user1 at kickseed:~$ sudo vim <esc> :sh
-su: esc: No such file or directory
wujiyu at kickseed:~$

for:
sudo cp -p /bin/bash foo
sudo ./foo
this is not going to work .

在 2017/8/23 22:52, Shawn McMahon 写道:
> It's worse than that. They can do this:
>
> sudo cp -p /bin/bash foo
> sudo ./foo -i
>
> You cannot stop shells with blacklisting; not even with NOEXEC. Only 
> whitelisting has a prayer of stopping shells. Where blacklisting is 
> used, it's generally considered to be a reminder that folks shouldn't 
> do that, not a barrier.
>
> You're just creating speed bumps that will engender a lack of respect 
> for Security and Compliance in your users because you don't want to 
> tackle a difficult political problem. You can't solve political 
> problems with technical solutions; especially bad technical solutions.
>
> BTW, NOEXEC is great for restricting the capabilities of whitelisted 
> programs. Using it with "ALL" and a blacklist will result in it 
> breaking things, because that's NOEXEC's job; to break things. But 
> it'll include things you don't want broken.
>
> But do what you want, man; I'm not your mom. Just hope I'm never your 
> auditor.
>
>
> On Wed, Aug 23, 2017 at 9:37 AM, Paul Cantle <paul at cantle.me 
> <mailto:paul at cantle.me>> wrote:
>
>     Hi,
>
>     Plenty unless you specify NOEXEC in sudoers – vi, vim, less, awk
>     and probably others.
>
>     Examples:
>
>     sudo awk 'BEGIN {system("/bin/sh")}' – will give a root shell
>     sudo vim <esc> :sh – will give a root shell
>
>     if people need to be able to edit files as root sudoedit or sudo
>     –e is a safer option.
>
>     I cannot stress enough that this isn’t the way to go – Really, you
>     should just limit the commands that people need to execute as root
>     and not mess with the sudo program itself.
>
>     Just my 2c
>
>     Rgds
>     Paul
>
>
>
>     On 23/08/2017, 15:32, "sudo-users on behalf of Goodman Leung"
>     <sudo-users-bounces at sudo.ws <mailto:sudo-users-bounces at sudo.ws> on
>     behalf of gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>> wrote:
>
>         here is the output when my user execute sudo /bin/bash
>
>         user1 at kickseed:~$ sudo /bin/bash
>         Traceback (most recent call last):
>            File "<string>", line 92, in <module>
>            File "<string>", line 33, in check_element
>         IndexError: list index out of range
>
>         i thing they get the same result when they use /bin/sh instead .
>
>         do you know any aother command can get a root shell ?
>
>         在 2017/8/23 16:38, Maarten de Vries 写道:
>         >
>         >
>         > On 23 Aug 2017 4:15 a.m., "Goodman Leung"
>     <gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>
>         > <mailto:gbcbooksmj at gmail.com <mailto:gbcbooksmj at gmail.com>>>
>     wrote:
>         >
>         >     well ,  before i m doing this, i have another solutions
>     , i write
>         >     a security binary to replace /usr/bin/sudo ,
>         >
>         >     you are not able to execute sudo -s , sudo -i , sudo su
>     , and even
>         >     sudo /bin/bash.
>         >
>         >
>         >     would you guys wanna try ?
>         >
>         >     i just think it is not perfect enough.
>         >
>         >
>         > I think it is a really bad idea. If jou want to prevent users
>         > executing arbitrary commands jou MUST whitelist exactly the
>     commands
>         > that they should be able to use.
>         >
>         > Blocking only shells is almost completely pointless because
>     users can
>         > still execute *every* other command from their own shell
>     prefixed with
>         > sudo. The only thing you would win is that every sudo
>     invocation is
>         > logged. But if they want they can destroy all logs on the
>     local system.
>         >
>         > Also, shells and editors are far from the only tools that
>     allow you to
>         > bypass sudo logging. Every script interpreter
>     (python/ruby/perl/etc)
>         > can do the same. And then there are many more interactive
>     tools that
>         > allow users to run arbitrary commands.
>         >
>         > And if you did blacklist *everything* (which is impossible),
>     then
>         > users can just copy a blacklisted binary to their home
>     folder with a
>         > different name so it is not blacklisted anymore.
>         >
>         > In short: if you want to allow users to run arbitrary
>     commands as
>         > root, but not shells, you're pretty much out of luck. If you
>     want to
>         > allow them to do some specific things as root, whitelist exactly
>         > those. Either way, writing your own sudo is not the solution.
>         >
>         > -- Maarten
>
>         ____________________________________________________________
>         sudo-users mailing list <sudo-users at sudo.ws
>     <mailto:sudo-users at sudo.ws>>
>         For list information, options, or to unsubscribe, visit:
>     https://www.sudo.ws/mailman/listinfo/sudo-users
>     <https://www.sudo.ws/mailman/listinfo/sudo-users>
>
>     ____________________________________________________________
>     sudo-users mailing list <sudo-users at sudo.ws
>     <mailto:sudo-users at sudo.ws>>
>     For list information, options, or to unsubscribe, visit:
>     https://www.sudo.ws/mailman/listinfo/sudo-users
>     <https://www.sudo.ws/mailman/listinfo/sudo-users>
>
>



More information about the sudo-users mailing list