sudo help

Steve Wills ncsa-discussion@ncsysadmin.org
Mon, 21 Oct 2002 20:53:27 -0400 

You bring up a very good point. chroots are a great tool, but no
panacea. With a little luck and determination, they can be broken. For
details, take a look at this page for Solaris (what John said he was
using):

http://www.bpfh.net/simes/computing/chroot-break.html

or this page for Linux (since you mentioned Linux):

http://www.linuxsecurity.com/feature_stories/feature_story-99.html

Neither page is very specific about which versions of the OSs the
weakness of chroot is specific to, so I'm guessing its fairly widely
applicable. Preventing access to root privileges within the chroot
environment seems to be solution, but that doesn't seem to help with
the original problem. I wonder if there isn't a more conventional way
using standard permissions to solve the situation and allow the users
to do what they need, but I'd need more information to know for
sure. :)

Steve

On Mon, Oct 21, 2002 at 09:42:09AM -0700, Stephen Schaefer wrote:
> If I understand you correctly, you want these folks to
> be able to do, as root
> 
> /bin/mv /playground/<foo> /playground/<bar>
> /bin/rm /playground/<rfoo>
> /bin/cp /playground/<foo> /playground/<bar>
> /bin/chmod 7777 /playground/<foo>
> /bin/chown <user> /playground/<foo>
> 
> but not other things.
> 
> I have an important question: are these restrictions
> intended to be gentle reminders to honest folks not to
> exceed their authority, are are they supposed to be
> serious deterrents to malefactors?
> 
> If the former, then sudo is more appropriate.  If the
> latter, you're going to have to work a bit harder.
> Supposed we compose syntax to implement your intent
> (no, the above summary is not it).  Nothing then
> prevents this series of commands:
> 
> % sudo /bin/chmod 777 /playground/.
> % cp /bin/cp /playground/cp
> % sudo /bin/chmod root /playground/cp
> % sudo /bin/chmod 4555 /playground/cp
> % /playground/cp myHackersShadowFile /etc/shadow
> 
> (I would have put /bin/sh in the playground and suid'd
> it, but most shells these days refuse to run suid, as
> an attempt to defend against just such an attack; the
> vast majority of utilities, e.g., cp, have no such
> safeguards.)
> 
> A real deterrent will need to chroot into /playground.
> chroot environments are tedious to put together, but
> you may be able to leverage the work described in
> 
> http://www.linuxorbit.com/modules.php?op=modload&name=Sections&file=index&req=viewarticle&artid=538&page=1
> 
> Good luck,
> 
>     - Stephen
> 
> -- John Turner <jdturner@nc.rr.com> wrote:
> > I am trying to build a restricted sudoers file where
> > I can give some 
> > people the ability to "mv, rm, cp, chmod, chown"
> > files but only under a 
> > directory /playground. Because sudo doesn't support
> > regular expressions 
> > I am having trouble.
> > 
> > So does anyone have a working sudoers file or
> > another suggestion?
> > Note this is under Solaris 8.
> > 
> > Thanks,
> > John
> > 
> > _______________________________________________
> > ncsa-discussion mailing list
> > ncsa-discussion@ncsysadmin.org
> >
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> _______________________________________________
> ncsa-discussion mailing list
> ncsa-discussion@ncsysadmin.org
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion

-- 
Pushing 40 is exercise enough.