[sudo-users] Restricting / Limiting permission/ownership of targetted binaries?
Grant Taylor
gtaylor at tnetconsulting.net
Mon Apr 26 10:04:50 MDT 2021
On 4/26/21 7:25 AM, A. James Lewis wrote:
> Hi,
Hi,
> I've been trying to figure out if there's a way to cause sudo to
> validate that a particular binary has "secure permissions", before
> allowing it to run, in the same way that sshd will not use an
> "authorized_keys" file if it has insecure permissions.
I'm not aware of anything being built into sudo to check this.
Note: My ignorance of such a feature does not preclude it from existing.
> Any advice/suggestions etc. would be appreciated... The last time
I
> mentioned something here, the answer was "ahh, the next version of sudo
> can do that"... so, here's hoping for another miracle.
Have you considered sudo's ability to check a hash of the binary in
question? I would think that a hash of a known good version of the file
would be quite difficult to fake with a maliciously modified version.
Despite the permissions of the file and it's (parent) directory(ies).
--
Grant. . . .
unix || die
More information about the sudo-users
mailing list