Cmnd_Alias subdirectories

Simon Perreault nomis80 at linuxquebec.com
Mon Jan 14 06:49:53 EST 2002 

On January 14, 2002 01:22 am, John E Hein wrote:
> Suppose user X has a Cmnd_Alias that specifies any dir under /a/b/c
> Suppose he does 'sudo mkdir /a/b/c/d ; sudo mount somehost:/some/other/dir
> /a/b/c/d' Now if you follow mount points for your recursive Cmnd_Alias,
> then he has effectively added commands he can run that aren't really under
> /a/b/c.

He would have to have sudo privileges with mkdir and mount to do such a 
thing. I think it's up to the admin to prevent that possibility. For example, 
I have sudo privileges on a box which enable me to do "sudo su". It's the 
admin's fault.

> Okay, you say, don't allow mount.  What if you NEED to allow him to run
>  mount... or what if you allow cp, or creation of sym links, etc... he can
>  just use cp or ln (or a dozen other commands) to add ways to run stuff
>  you didn't intend for him to run.  Anyway, this is just one example.

If you allow cp then that user can trash your system. You just don't give 
such privileges to untrustworthy people. Think of another case: that user 
mounts an empty partition as /usr/bin. There, nothing works. sudo is only 
secure as long as you trust the user.

> You wanted feedback on things to consider if you wanted to implement
>  this option.  Maybe you want to have an option to disallow mount point
>  traversal.  There's a lot of issues and maybes that will come up if you
>  want to allow sudo'd commands under a tree as you suggest.  It made me
>  think of a chroot... sorry you didn't see the parallel.

Ah, I see it now. But I don't think chrooting would be feasible/needed.

> I could see scenarios where you'd like to allow a sudoer limited access
>  to a dir tree containing a limited set of commands and not have to
>  enter each command individually in sudoers.  I am guessing that's your
>  rationale.  Understandable... but if you do this, there will be many ways
>  to circumvent it unless you tightly control what commands can be run
>  (any command that allows modification or creation of a file under that
>  tree is a way to punch through that security, for instance).

You're right. Thanks for the advice.

-- 
Simon Perreault  <nomis80 at linuxquebec.com>
Web: http://www.linuxquebec.com/~nomis80
PGP: $Web/nomis80.gpg

More information about the sudo-workers mailing list