Hacking sudoers

[Bob Proulx]

Steffan A. Cline wrote:
> I need to do the following:
> 1. Remove any logging
> 2. Remove any emails.
> 3. authenticate as target
> 4. timestamp time out is immediate
> 5. passwd timeout is immediate
> 6. diable all unnecessary options
> 7. disable lecture
> 8. only callable by lasso user
> 9. do not use sudoers file.

Looking at this list makes me wonder.  Are you really in need of sudo
at all?  For this list of requirements isn't a simple little C program
suid wrapper what you are looking for?

Let me include a simple C program which you could use as a wrapper for
other programs.  I have used it to wrap shell scripts.  It is
reasonably secure although I won't claim it is perfect.  Although it
is more dependent upon the security of the program you are running
with it.  Customize the top two configuration items and then compile
and go.

Bob

/*
 * cc -o wrapper wrapper.c
 * chown username:groupname wrapper
 * chmod u+s wrapper
 */

#include <stdio.h>
#include <unistd.h>

enum { GOODUSER = 1000 };

const char myprog[] = "/root/bin/myprog";

main()
{
  if (getuid() != GOODUSER)
    exit(1);
  putenv("PATH=/bin:/usr/bin");
  putenv("IFS= \t\n");
  setgid(getegid());
  setuid(geteuid());
  execl(myprog,myprog,(char*)0);
  fprintf(stderr,"Could not execute %s\n",myprog);
  perror("exec");
  exit(1);
}