-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
James Wilkinson wrote:
> Todd Zullinger wrote:
>> If you use sudo, you don't have to give the user the root password,
>> you just edit the /etc/sudoers file to allow them to run the
>> particular command(s) you want and they enter their own password to
>> run them.
>
> Note: depending on what the program is, this may be equivalent to
> giving users the root password. In particular, if there is any way
> to "shell out" from the program, or run an external editor, then the
> user can end up with a root shell.
Agreed. It certainly needs to be used with care, as anything dealing
with root privileges should be used.
> I'm also concerned about the man-page paragraph:
> To prevent command spoofing, sudo checks "." and "" (both
> denoting current directory) last when searching for a command
> in the user’s PATH (if one or both are in the PATH). Note,
> however, that the actual PATH environment variable is not
> modified and is passed unchanged to the program that sudo
> executes.
>
> I read this as saying that *if* a program runs another program
> merely by name (e.g. "hostname" rather than "/bin/hostname"), then a
> malicious user could place a symlink to bash from ./hostname, change
> the PATH appropriately, and sudo the first program.
I'm not a sudo expert, but that doesn't work in my testing. I think
that the malicious user would need to modify root's PATH, not their
own for this to work. Additionally, commands may (probably should) be
specified in /etc/sudoers using the full pathname. You can also
compile sudo using the --with-secure-path option to have it set the
PATH when it runs.
I have this in /etc/sudoers:
guest ALL=/bin/true
$ whoami
guest
$ pwd
/home/guest
$ /bin/cat true
#!/bin/sh
echo "Ah ha!"
$ export PATH=.:/usr/bin
$ sudo true
sudo: ignoring `true' found in '.'
Use `sudo ./true' if this is the `true' you wish to run.
$ sudo ./true
Sorry, user guest is not allowed to execute './true' as root on hostname.
Am I missing something?
- --
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
======================================================================
If I had a choice, I'd... buy myself a gun, dress up like a nun, kill
the KKK and consider it some fun.
-- Fishbone, If I Were A... I'd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQFDBAEBAgAtBQJFEaDKJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjq0YH/1vUaXi5y6oe1pfAAnKMhqaSy23D9nxiehVf
odt0BU1jiRtSnFsZR09eszeOuAWQGJIJ1qIi+wySXkChxjYtlJEG6kNNocajA9oJ
ll48/sRCUcSQxUYeP+0lriYtLPXuHOrIsxn8yK5YuOmwy4DqVcoIzvnkcV7T+F1j
EoH6FxHmKkSVa0iCPemSPu6QLzst6urpbbQ5ngHpZdaH040/IKEESd3k4aivth/Z
fuf0xtAyDvaibeqoVbdqcOwe8VOz5NRv6nAZqWbOxcp4MvhjyTz0UJV++/0dJbRZ
qu4dvyqejEJXWTyet7mIe6GzEUX/8S7p42JozlwvBOqMAHhpC5g=
=0Wip
-----END PGP SIGNATURE-----
