[sudo-users] Restricting / Limiting permission/ownership of targetted binaries?

L A Walsh sudo at tlinx.org
Mon May 10 17:21:33 MDT 2021 

On 2021/04/30 09:58, Grant Taylor via sudo-users wrote:
> On 4/30/21 10:56 AM, Grant Taylor via sudo-users wrote:
>> I think that the permissions of the target binary are a second order 
>> concern that enables the first order concern of changing the target 
>> binary, even if the new target binary has the same permissions as the 
>> old target binary.
>
> This is where the hash of the target binary comes into play as 
> protection against it being changed out.
>
> Technically I suppose it is theoretically possible to replace the old 
> target binary with a new target binary that has the same hash value. 
> But hash collisions are non-trivial and you have to really want to 
> expend the effort.
----
    Finding a good hash algorithm is a crypto subject.  Checkout the
book and website for "Practical Cryptography" @ 
*http://practicalcryptography.com/hashes/.

    *What you are wanting to do is to limit execution to a set of
approved binaries.  Sudo isn't the best place to apply those limits, since
you'd have to audit each program to verify none of them allow an
unrestricted 'child' to be executed.  Best to do that with linux kernel
module.  One example would be the Intel Trusted Execution model that tries
to guarantee the trusted state of the computer by only allowing
execution of trusted software parts.

    No matter what you put in, if they can put in their own kernel, all
your protections would be for naught, so the Intel model helps ensure you
are starting with a trusted base so 'user-space' programs can be known to
be trusted when you execute them.  This model limits what programs
a 'guest' (untrusted) user can run so that they can't "break out" of the
trusted base.  It's not just programs that need securing, but also 
libraries,
config files, and more. 

    Several ways of controlling what can be done on your machine can
be implemented or assisted by various Linux Security Modules, though many
of those may be overkill for end-user machines.  I'd suggest checking
out that book I mention above, as it covers alot of material about how
to secure what, whereas I couldn't begin to give you a good idea of what's
out there and what might be best for your situation.  Hope that helps!

L Walsh

More information about the sudo-users mailing list