[sudo-users] sudo remove -s and -i option

Paul Cantle paul at cantle.me
Wed Aug 23 08:56:56 MDT 2017 

No, type this

sudo vim   or sudo vi

Then hit the escape key

Then type

:sh

From: Goodman Leung <gbcbooksmj at gmail.com>
Date: Wednesday, 23 August 2017 at 15:54
To: Shawn McMahon <syberghost at gmail.com>, Paul Cantle <paul at cantle.me>
Cc: Maarten de Vries <maarten.de.zoveelste at gmail.com>, "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Subject: Re: [sudo-users] sudo remove -s and -i option

here is the result:

user1 at kickseed:~$ sudo awk 'BEGIN {system("/bin/sh")}'
sh: 1: Syntax error: "(" unexpected
user1 at kickseed:~$ sudo vim <esc> :sh
-su: esc: No such file or directory
wujiyu at kickseed:~$

for:
sudo cp -p /bin/bash foo
sudo ./foo
this is not going to work .
在 2017/8/23 22:52, Shawn McMahon 写道:
It's worse than that. They can do this:

sudo cp -p /bin/bash foo
sudo ./foo -i

You cannot stop shells with blacklisting; not even with NOEXEC. Only whitelisting has a prayer of stopping shells. Where blacklisting is used, it's generally considered to be a reminder that folks shouldn't do that, not a barrier.

You're just creating speed bumps that will engender a lack of respect for Security and Compliance in your users because you don't want to tackle a difficult political problem. You can't solve political problems with technical solutions; especially bad technical solutions.

BTW, NOEXEC is great for restricting the capabilities of whitelisted programs. Using it with "ALL" and a blacklist will result in it breaking things, because that's NOEXEC's job; to break things. But it'll include things you don't want broken.

But do what you want, man; I'm not your mom. Just hope I'm never your auditor.


On Wed, Aug 23, 2017 at 9:37 AM, Paul Cantle <paul at cantle.me<mailto:paul at cantle.me>> wrote:
Hi,

Plenty unless you specify NOEXEC in sudoers – vi, vim, less, awk and probably others.

Examples:

sudo awk 'BEGIN {system("/bin/sh")}' – will give a root shell
sudo vim <esc> :sh – will give a root shell

if people need to be able to edit files as root sudoedit or sudo –e is a safer option.

I cannot stress enough that this isn’t the way to go – Really, you should just limit the commands that people need to execute as root and not mess with the sudo program itself.

Just my 2c

Rgds
Paul



On 23/08/2017, 15:32, "sudo-users on behalf of Goodman Leung" <sudo-users-bounces at sudo.ws<mailto:sudo-users-bounces at sudo.ws> on behalf of gbcbooksmj at gmail.com<mailto:gbcbooksmj at gmail.com>> wrote:

    here is the output when my user execute sudo /bin/bash

    user1 at kickseed:~$ sudo /bin/bash
    Traceback (most recent call last):
       File "<string>", line 92, in <module>
       File "<string>", line 33, in check_element
    IndexError: list index out of range

    i thing they get the same result when they use /bin/sh instead .

    do you know any aother command can get a root shell ?

    在 2017/8/23 16:38, Maarten de Vries 写道:
    >
    >
    > On 23 Aug 2017 4:15 a.m., "Goodman Leung" <gbcbooksmj at gmail.com<mailto:gbcbooksmj at gmail.com>
    > <mailto:gbcbooksmj at gmail.com<mailto:gbcbooksmj at gmail.com>>> wrote:
    >
    >     well ,  before i m doing this, i have another solutions , i write
    >     a security binary to replace /usr/bin/sudo ,
    >
    >     you are not able to execute sudo -s , sudo -i , sudo su , and even
    >     sudo /bin/bash.
    >
    >
    >     would you guys wanna try ?
    >
    >     i just think it is not perfect enough.
    >
    >
    > I think it is a really bad idea. If jou want to prevent users
    > executing arbitrary commands jou MUST whitelist exactly the commands
    > that they should be able to use.
    >
    > Blocking only shells is almost completely pointless because users can
    > still execute *every* other command from their own shell prefixed with
    > sudo. The only thing you would win is that every sudo invocation is
    > logged. But if they want they can destroy all logs on the local system.
    >
    > Also, shells and editors are far from the only tools that allow you to
    > bypass sudo logging. Every script interpreter (python/ruby/perl/etc)
    > can do the same. And then there are many more interactive tools that
    > allow users to run arbitrary commands.
    >
    > And if you did blacklist *everything* (which is impossible), then
    > users can just copy a blacklisted binary to their home folder with a
    > different name so it is not blacklisted anymore.
    >
    > In short: if you want to allow users to run arbitrary commands as
    > root, but not shells, you're pretty much out of luck. If you want to
    > allow them to do some specific things as root, whitelist exactly
    > those. Either way, writing your own sudo is not the solution.
    >
    > -- Maarten

    ____________________________________________________________
    sudo-users mailing list <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
    For list information, options, or to unsubscribe, visit:
    https://www.sudo.ws/mailman/listinfo/sudo-users

____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list