Sudo & su 2007-11-04 - By Carville, Stephen
Back
On Sat, 3 Nov 2007 18:22:16 -0500 (CDT)
"Chris St. Pierre" <stpierre@(protected)> wrote:
>> On Sat, 3 Nov 2007, Carville, Stephen wrote:
>> > Do not give it all then try to deny certain commands. Any reasonably
smart use
>> > can defeat that. Start with nothing and allow only what is necessary.
>>
>> This is _excellent_ advice.
>>
>> Let's say you give someone sudo but don't allow them to run 'su'. I
>> can think of half a dozen ways off the top of my head to get around
>> that:
>>
>> 'sudo bash'; run su
>> 'sudo screen'; run su
>> 'sudo emacs'; M-x shell; run su
>> 'sudo script su'
>> Write a shell script that invokes su and run it with sudo
>> 'true | sudo xargs su'
>>
>> That was after about 30 seconds of thought. A dedicated attacker
>> could find significantly more avenues of attack.
> less, vi and a number of other innocent looking programs
> can be used to invoke a shell.
If you _really_ have to give sudo root permission to one of those programs,
get the src RPM, rebuild without the shell escape, and install the modified
version.
Frankly I think shell escapes should be eliminated but that's another argument.
> Of course, if you can sudo vi, you could just edit the
> sudoers file.
> Stephen's advice is to be taken seriously.
--
Stephen
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
|
|
