[sudo-workers] NOEXEC: /usr/bin/vi using ldap

Jacob Pszonowsky jdp16 at mac.com
Wed Jul 7 20:47:36 EDT 2004 

Aaron -

Thanks for the tips. I'll try these various combinations now.

Working on these I've noticed a couple of things:

1. Sudoedit (when not specifically denied or allowed) allows
2. Sudoedit doesn't follow any of the deny rules (always allows editing 
of a file - even if denied)
3. This doesn't work trying First entry and Second Entry - it allows 
editing of all files:
> User jacobp may run the following commands on this host:
> LDAP Role: ldap_admin
>   Commands:
>     !/usr/bin/vi
>     !/usr/bin/less
>     !/usr/sbin/ldapclient
>     !/bin/sh
>     !/bin/bash
>     !/bin/ksh
>     !/bin/tcsh
>     !/grid/common/bin/bash
>     !/grid/common/bin/tcsh
>     !/usr/ngnu/bin/bash
>     !/usr/ngnu/bin/tcsh
>     All
>
> LDAP Role: vi
>   Commands:
>     !/usr/bin/vi /etc/passwd
>     /usr/bin/vi

I'll continue to try different combinations and let you know how it 
goes.

Thanks,
Jake

Jacob Pszonowsky

jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918

On Jul 7, 2004, at 4:59 PM, Aaron Spangler wrote:

> Jacob,
>
> Try
>
> # First entry
> sudoUser: ......
> sudoHost: .....
> description: Allow all commands except vi
> sudoCommand: ALL
> sudoCommand: !/usr/bin/vi
>
> # entry two
> sudoUser: <same as above>
> sudoHost: <same as above>
> description: Allow vi to modify most files but no subshells
> sudoOption: noexec
> sudoCommand: /usr/bin/vi
> sudoCommand: !/usr/bin/vi /etc/passwd
>
> or better yet, this combines all into one role
>
> # better example
> sudoUser: <same as above>
> sudoHost: <same as above>
> description: allow most commands except vi, allow safe editing except 
> /etc/passwd
> sudoCommand: ALL
> sudoCommand: !/usr/bin/vi
> sudoCommand: sudoedit
> sudoCommand: !sudoedit /etc/passwd
>
> Since above prevents vi and requires the user to use 'sudoedit' 
> instead to modify files, then vi runs as the normal user, so even if 
> they subshelled, they would not gain additional privileges.
> The only trick is that since you have taught your users to use sudo 
> before commands, ask them to use 'sudoedit' to modify files.
>
> On a different matter, make sure you notify your users they are not 
> supposed to modify /etc/passwd because they could always do the 
> following because the ! statements really do not protect the clever 
> person.  Example:
>
> ln -s /etc/passwd /tmp/myfile
> ln -s /usr/bin/vi /tmp/myedit
> sudo /tmp/myedit /tmp/myfile
>
> As a side note, for some reason the example above does not currently 
> allow sudoedit.  I will findout why and get back to you.
>
> -Aaron
>
> Jacob Pszonowsky wrote:
>
>> Question: Does the NOEXEC: /usr/bin/vi syntax work with ldap? Also, 
>> is it possible to use this in conjuction with:
>>
>> sudoCommand: !/usr/bin/vi /etc/passwd
>> sudoCommand: NOEXEC: /usr/bin/vi
>> sudoCommand: ALL
>>
>> such that
>> "/usr/bin/vi /etc/passwd" is NOT allowed,
>> executing a shell from vi is NOT allowed,
>> all other commands are allowed
>>
>> It doesn't seem to work, but I could have the syntax wrong.
>>
>> Thanks,
>> Jake
>>
>> Jacob Pszonowsky
>>
>> jdp16 at mac.com
>> (c) 415.225.2647
>> (f) 415.358.5918
>>
>> ____________________________________________________________ 
>> sudo-workers mailing list <sudo-workers at gratisoft.us>
>> For list information, options, or to unsubscribe, visit:
>> http://www.gratisoft.us/mailman/listinfo/sudo-workers
>
>



Jacob Pszonowsky

jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918

More information about the sudo-workers mailing list