[sudo-users] Grant permission by "digest" only?
Róbert Manner
rmanni at gmail.com
Wed May 5 14:51:55 MDT 2021
Hi,
I think you can easily do these with an approval plugin[1]:
class ExamplePlugin(sudo.Plugin): def check(self, cmd_info, run_argv, run_env):
if not packageManagerHashMatches(cmd_info):
raise sudo.PluginReject("Hash invalid!!")
You can then implement the hash match or just verify the owner of the file.
Beware that restricting to some commands only can be a good way to avoid mistakes eg for a typo in scripts but only if the one who gets restricted is cooperative in that. However if the purpose is security, this alone can fail. I mean, obviously if one has execution right as root to "chown", then you do not make it much harder to execute anything if you are restricting by file ownership.
But quite the same, if you add right to execute vim, he'll be able to chown with vim's internal functions even if you disable child command execution.
Once I got right for executing "mv" only on a machine, which can be seem like very restrictive, but since that allows me to replace sudoers... just an example, you probably know what I mean.
[1] https://blog.sudo.ws/posts/2020/08/sudo-1.9-using-the-new-approval-api-from-python/
Robert
On May 5, 2021, 18:01, at 18:01, Daniele Palumbo <daniele at retaggio.net> wrote:
>Il giorno 11 mar 2020, alle ore 20:52, Todd C. Miller
><Todd.Miller at sudo.ws> ha scritto:
>> I just checked in support for this to what will be sudo 1.9.0 so
>> it will be possible in the near future. For example, you can now
>> do things like this:
>
>A useful side effect would be to be able to execute only the binaries
>that are compliant with a package manager.
>more generically, a "run this command in advance in order to trust the
>binary" could be useful.
>
>In this way, also "badly written rules" could be more safe.
>
>eg:
>* if the file belong to a package manager, allow only if the hash match
>the package manager;
>* if the file belong to a package manager, allow only if the file
>permissions match;
>this could be "exit 0 based" on a custom script or whatever, to support
>multiple package manager in the same OS.
>
>It should work like other option (NOPASSWD, to mention one) to be
>effective.
>
>Just an idea to improve the security :)
>
>HTH,
>Daniele
>____________________________________________________________
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>https://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list