[sudo-users] Restricting / Limiting permission/ownership of targetted binaries?

A. James Lewis james at fsck.co.uk
Mon Apr 26 10:20:17 MDT 2021 

On 26/04/2021 17:04, Grant Taylor via sudo-users wrote:
> On 4/26/21 7:25 AM, A. James Lewis wrote:
>> Hi,
>
> Hi,
>
>> I've been trying to figure out if there's a way to cause sudo to 
>> validate that a particular binary has "secure permissions", before 
>> allowing it to run, in the same way that sshd will not use an 
>> "authorized_keys" file if it has insecure permissions.
>
> I'm not aware of anything being built into sudo to check this.
>
> Note:  My ignorance of such a feature does not preclude it from existing.

Indeed.... I could not find anything in the "sudo" documentation 
either... although as I mentioned, the last time I posted here, the 
feature I wanted was in the /next/ release... so I guess there's a 
chance it might not be in the documentation.. :)


>
>> Any advice/suggestions etc. would be appreciated...  The last time I
>
>> mentioned something here, the answer was "ahh, the next version of sudo 
>
>> can do that"... so, here's hoping for another miracle.
>
> Have you considered sudo's ability to check a hash of the binary in 
> question?  I would think that a hash of a known good version of the 
> file would be quite difficult to fake with a maliciously modified 
> version. Despite the permissions of the file and it's (parent) 
> directory(ies).

Yes, I have considered this... infact the feature I wanted last time was 
the ability to define a rule based on the hash alone, so that the actual 
path to the command did not matter... This became possible in 1.9 I believe.


It would make a lot of sense to include a hash of a known good version, 
but in this case... there are many different machines of different 
versions involved, and I do not know the specific hash of the binaries 
in question... there may indeed be many different versions and they may 
change when the application is patched.

My problem is one of "too many cooks",... leading to a possibility that 
permissions could be changed by someone who lacks understanding the 
implications... and I want to ensure that sudo would cease to run the 
command with escalated privilages, in the same way that sshd would cease 
to allow logins based on "authorized_keys" if the permissions of that 
file were insecure.

Perhaps it is a feature that would be useful for others as well?....


>
>
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
-- 
*ค. ﻝค๓єร ɭєฬเร* (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the sudo-users mailing list