[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Change root> normal user?

Hash: SHA1

James Wilkinson wrote:
> Todd Zullinger wrote:
>> If you use sudo, you don't have to give the user the root password,
>> you just edit the /etc/sudoers file to allow them to run the
>> particular command(s) you want and they enter their own password to
>> run them.
> Note: depending on what the program is, this may be equivalent to
> giving users the root password. In particular, if there is any way
> to "shell out" from the program, or run an external editor, then the
> user can end up with a root shell.

Agreed.  It certainly needs to be used with care, as anything dealing
with root privileges should be used.

> I'm also concerned about the man-page paragraph:
>        To prevent command spoofing, sudo checks "." and "" (both
>        denoting current directory) last when searching for a command
>        in the user’s PATH (if one or both are in the PATH).  Note,
>        however, that the actual PATH environment variable is not
>        modified and is passed unchanged to the program that sudo
>        executes.
> I read this as saying that *if* a program runs another program
> merely by name (e.g. "hostname" rather than "/bin/hostname"), then a
> malicious user could place a symlink to bash from ./hostname, change
> the PATH appropriately, and sudo the first program.

I'm not a sudo expert, but that doesn't work in my testing.  I think
that the malicious user would need to modify root's PATH, not their
own for this to work.  Additionally, commands may (probably should) be
specified in /etc/sudoers using the full pathname.  You can also
compile sudo using the --with-secure-path option to have it set the
PATH when it runs.

I have this in /etc/sudoers:

guest   ALL=/bin/true

$ whoami

$ pwd

$ /bin/cat true
echo "Ah ha!"

$ export PATH=.:/usr/bin

$ sudo true
sudo: ignoring `true' found in '.'
Use `sudo ./true' if this is the `true' you wish to run.

$ sudo ./true
Sorry, user guest is not allowed to execute './true' as root on hostname.

Am I missing something?

- -- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
If I had a choice, I'd... buy myself a gun, dress up like a nun, kill
the KKK and consider it some fun.
    -- Fishbone, If I Were A... I'd

Version: GnuPG v1.4.5 (GNU/Linux)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]