[sudo-users] scripting sudo's digest functions

Michael W. Lucas mwlucas at michaelwlucas.com
Tue Jun 25 14:19:26 MDT 2019


Sudo has a nifty digest-verification function, where it can check the
cryptographic digest of a command before running it.

At my last job I wrote a couple perl scripts to build
platform-specific digest-checking sudoers files for all programs in
system directories. I've cleaned them up some and added Linux
support. They're not on github because once I do that other folks
might find them, and I'm not convinced this is a good thing.  But I'd
like some feedback, so I'm posting here.

Code is at http://www-old.michaelwlucas.com/sudo/


Set the directories you want to target at the top of $sudodigest.pl.

# cd /etc/sudoers.d
# sudodigest.pl > 00-digests
# ids-sudoers.pl > 01-wheel
# visudo -cf /etc/sudoers

This creates platform-unique aliases for each command, and an
EVERYTHING alias that includes all those aliases. There's also rules
to let wheel and sudo groups run everything. But you can cut those out
and do aliases like:

Cmnd_Alias NOSHELL = EVERYTHING, !/bin/sh, !/bin/bash, !/bin/su

EVERYTHING is an explicit list of programs in system directories, so
it doesn't include user-created /tmp/sh.

So: if you need sudo IDS, is this reasonable?


Michael W. Lucas 	https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...

More information about the sudo-users mailing list