[sudo-users] /bin/bash in sudoers allows root access to a user????

Fri Jun 7 06:55:35 MDT 2019

Hi,

So to make sure we do not give full root access the shells should never be put in sudoers...

Thanks for a rapid answer!

Have a great day!

Merci  et…
Bonne journée!

Alerte vacances, veuillez noter que je serai en vacances du 22 juin au 2 juillet inclusivement.

______________________________________
Denis Martin
Consultant
Infrastructure
Bureau B2.63
Tél: +1-514-673-6899
Cell: +1-438-350-7927

dmartin at cdpq.com

1000, place Jean-Paul-Riopelle
Montréal (Québec) H2Z 2B3
cdpq.com
P
La Caisse de dépôt et placement du Québec souscrit aux principes de développement durable.
Merci de penser à l'environnement avant d'imprimer ce courriel.

-----Message d'origine-----
De : Todd C. Miller <Todd.Miller at sudo.ws>
Envoyé : 7 juin 2019 08:37
À : Martin, Denis (Consultant) <dmartin at cdpq.com>
Cc : sudo-users at sudo.ws
Objet : Re: [sudo-users] /bin/bash in sudoers allows root access to a user????

On Thu, 06 Jun 2019 20:15:27 -0000, "Martin, Denis (Consultant)" wrote:

> I came across a strange behavior of sudo.
>
> We have created an account for Rapis7 Nexpose software to allow it to
> scan our machines for vulnerabilities as well as CIS security.
>
> The software needs to have access to multiple commands with root
> privileges. To do so, we have added the commands to our sudoers file.
> While doing some trouble shooting for another thing I issued "sudo -i"
> using that account instead of mine and got stunned when I got access
> to the root account!
>
> All our other sudo users don't have access to root by issuing "sudo
> -i". I looked in the sudoers file to find what was specific to that
> user and found that the command "/bin/bash" is THE ONE giving root
> access to that user as well as to the other users that are part of the
> same group. I confirmed this by removing that command from the sudoers
> file and notice that root access is no longer granted to that user.
>
> Why is including "/bin/bash" in the sudoers file allows root access
> with "sudo -i"???
>
> "/bin/sh" and "/bin/ksh" don't allow it...

To run "sudo -i", a use just needs permission to run the target user's shell.  In this case, the target user is root and their shell is /bin/bash.  Since the user running sudo has permission to run bash, they can run "sudo -i".

In other words, because sudoers allows the user to run /bin/bash and since root's shell is /bin/bash, the user is allowed to run "sudo -i".  This isn't really much different from the user running "bash -l" directly.

 - todd

________________________________

Avis de confidentialité : Ce courriel et les pièces qui y sont jointes contiennent de l'information confidentielle et peuvent être protégés par le secret professionnel ou constituer de l’information privilégiée. Ils sont destinés à l'usage exclusif de la (des) personne(s) à qui ils sont adressés. Si vous n'êtes pas le destinataire visé ou la personne chargée de transmettre ce document à son destinataire, vous êtes avisé par la présente que toute divulgation, reproduction, copie, distribution ou autre utilisation de cette information est strictement interdite. Si vous avez reçu ce courriel par erreur, veuillez en aviser immédiatement l’expéditeur par téléphone ainsi que détruire et effacer l'information que vous avez reçue de tout disque dur ou autre média sur lequel elle peut être enregistrée et ne pas en conserver de copie. Merci de votre collaboration.

________________________________

Notice of Confidentiality: This electronic mail message, including any attachments, is confidential and may be privileged and protected by professional secrecy. They are intended for the exclusive use of the addressee. If you are not the intended addressee or the person responsible for delivering this document to the intended addressee, you are hereby advised that any disclosure, reproduction, copy, distribution or other use of this information is strictly forbidden. If you have received this document by mistake, please immediately inform the sender by telephone, destroy and delete the information received from any hard disk or any media on which it may have been registered and do not keep any copy. Thank you for your cooperation.