[sudo-users] Restricting / Limiting permission/ownership of targetted binaries?

A. James Lewis james at fsck.co.uk
Tue Apr 27 05:37:31 MDT 2021 

On 26/04/2021 18:23, Grant Taylor via sudo-users wrote:
> On 4/26/21 10:20 AM, A. James Lewis wrote:
>> It would make a lot of sense to include a hash of a known good version, 
>
>> but in this case... there are many different machines of different 
>> versions involved, and I do not know the specific hash of the 
>> binaries in question... there may indeed be many different versions 
>> and they may 
>
>> change when the application is patched.
>
> Ya.
>
> Keeping sudoers up to date with the different hashes can be a lot of 
> effort.
>
> Fortunately, my understanding is, that you can have the same path with 
> multiple different hashes.  E.g. one hash that is pre-patch and 
> another hash that is post patch.  So your sudoers will still function 
> as desired before and after patching.  Obviously someone will need to 
> care for and feed the sudoers file to account for such hashing.
>
>> My problem is one of "too many cooks",... leading to a possibility that 
>
>> permissions could be changed by someone who lacks understanding the 
>> implications... and I want to ensure that sudo would cease to run the 
>> command with escalated privilages, in the same way that sshd would 
>> cease to allow logins based on "authorized_keys" if the permissions 
>> of that file were insecure.
>
> That can be a problem.
>
> The other idea that I had was to create a wrapper script that is 
> called which will check the permissions for you.  E.g. something that 
> parses the output of namei -l on the real target, checking for allowed 
> permissions and / or ownership to see if they are (one of a set of) 
> allowed values; e.g. root and / or calling user. Presuming that you 
> use sudo to get to the proper user which can be matched in the script.
>
>> Perhaps it is a feature that would be useful for others as well?....
>
> I don't know.
>
> It seems like it's an entirely new security model that hasn't existed 
> in sudo up to this point.
>
In essence the original ask was really "is this something entirely new, 
or is there perhaps something I have missed, or which is proposed for a 
future release that might offer this capability"....

If the answer is no, then I will have to find an alternate solution.

I'm sorry I cannot be more precise about the actual problem I am trying 
to work around, but I cannot disclose that currently as I must be 
responsible not to release details of potential vulnerabilities in 3rd 
party software without following the proper process.....


>
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users
-- 
*ค. ﻝค๓єร ɭєฬเร* (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the sudo-users mailing list