RE: Sudo tricks

From: "Burton Strauss" <Security@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 29 Mar 2006 11:46:42 -0600

Isn't the real meat of this issue the commands an unprivileged user is
permitted to execute via sudo?

Sudo isn't a blanket 'execute anything' unless it's set up that way.
Instead, you should carefully choose the specific command(s) that the user
needs to be allowed to execute. That should involve execution from an
absolute path and a protected binary.

For example, if visudo contains this

/sbin/ifconfig eth0

Then all the user can execute is the ifconfig command from the protected
binary in /sbin/ifconfig to see the state of the interface.

Or this

/sbin/ifconfig eth0 *

Allows him/her full control of eth0 - but still from the protected binary in
/sbin/ifconfig.

If you specify this:

ifconfig eth0 *

Then all bets are off...

-----Burton

References:
- Re: Sudo tricks
  - From: Krzysztof Halasa

Prev by Date: Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
Next by Date: Re: Re: Cantv/Movilnet's Web SMS vulnerability.
Previous by thread: Re: Sudo tricks
Next by thread: Re: Sudo tricks
Index(es):
- Date
- Thread

Relevant Pages

[UNIX] Vulnerabilities Found in Scponly
... SSHd environment files. ... the user can upload a file with a custom ... This provides the user with a means of running arbitrary commands ... the user could execute arbitrary commands by uploading ...
(Securiteam)
Re: [Full-disclosure] FWD Cisco IOS Remote Command Execution Vulnerability
... > Vulnerability Alert Cisco IOS Remote Command Execution ... > 9.4 Last Change Cisco has responded to this issue; ... > prone to an issue that may permit gay people to execute arbitrary ... > commands from a password prompt. ...
(Full-Disclosure)
Dont mind if I grouse on some basic topics?? (very long)
... I know as experienced programmers you really don't want to hear people gripe ... and moan about basic, indeed critical topics, but I just have to vent on ... commands within a set sequence. ... doesn't appear to uniformly execute them. ...
(comp.windows.x)
Re: HELP !!! No more task-bare and menu bare
... He should though be able to start a new terminal login from his root session and there login as himself and execute the commands to get the bars back. ... So I delete ALL my directories .xxx and ALL my files .xxx from my /home/dir then login on my Ubuntu account and it's the same!!!! ... Initializing nautilus-share extension ...
(Ubuntu)
htpasswd bufferoverflow and command execution in thttpd-2.25b.
... non-priveledged user to circumvent sudo acls for example. ... If perhaps sudo is being used to limit what commands a user can ... user larry is not allowed to execute '/usr/bin/id' as root on mog. ...
(Bugtraq)