Hacking sudoers

Sat May 31 00:47:52 EDT 2003

This would need to have the s bit set on it right? Could this be done inside
of a dylib that is loaded into Lasso? I didn¹t think it was possible. That
is why I have been fooling with sudo.

Steffan

---------------------------------------------------------------
T E L  6 0 2 . 5 7 9 . 4 2 3 0 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline
Steffan at ExecuChoice.net                             Phoenix, Az
http://www.ExecuChoice.net                                  USA
AIM : SteffanC          ICQ : 57234309
The Executive's Choice in Lasso driven Internet Applications
---------------------------------------------------------------

> From: bob at proulx.com (Bob Proulx)
> Date: Fri, 30 May 2003 20:48:43 -0600
> To: "Steffan A. Cline" <steffan at hldns.com>
> Cc: sudo-workers at sudo.ws
> Subject: Re: Hacking sudoers
> 
> Steffan A. Cline wrote:
>> I need to do the following:
>> 1. Remove any logging
>> 2. Remove any emails.
>> 3. authenticate as target
>> 4. timestamp time out is immediate
>> 5. passwd timeout is immediate
>> 6. diable all unnecessary options
>> 7. disable lecture
>> 8. only callable by lasso user
>> 9. do not use sudoers file.
> 
> Looking at this list makes me wonder.  Are you really in need of sudo
> at all?  For this list of requirements isn't a simple little C program
> suid wrapper what you are looking for?
> 
> Let me include a simple C program which you could use as a wrapper for
> other programs.  I have used it to wrap shell scripts.  It is
> reasonably secure although I won't claim it is perfect.  Although it
> is more dependent upon the security of the program you are running
> with it.  Customize the top two configuration items and then compile
> and go.
> 
> Bob
> 
> /*
> * cc -o wrapper wrapper.c
> * chown username:groupname wrapper
> * chmod u+s wrapper
> */
> 
> #include <stdio.h>
> #include <unistd.h>
> 
> enum { GOODUSER = 1000 };
> 
> const char myprog[] = "/root/bin/myprog";
> 
> main()
> {
> if (getuid() != GOODUSER)
>   exit(1);
> putenv("PATH=/bin:/usr/bin");
> putenv("IFS= \t\n");
> setgid(getegid());
> setuid(geteuid());
> execl(myprog,myprog,(char*)0);
> fprintf(stderr,"Could not execute %s\n",myprog);
> perror("exec");
> exit(1);
> }