topic Re: Blocking shell escapes for sudoers in Operating System - HP-UX

Blocking shell escapes for sudoers

Ralph Grothe — Fri, 07 May 2004 06:26:53 GMT

Hi,

I need to grant some DBAs writeable editing of system config files (e.g. like /etc/services).

Since I don't like changing group membership of these files to dba, nor even assigning an ACL to them, I would like to put the vi command under sudo.

The catch is how to prevent the shell escape from vi, which would give sudoers a root shell.

Let alone for vi, this would be easy to disable by simply setting the escape shell explicitly.

e.g.

EXINIT="set shell=/usr/bin/false" /usr/bin/vi /etc/services

The problem with this approach is that sudo sees the supposed environment variable EXINIT as a sudo qualifier which it doesn't find a sudoers definition for.

Maybe one could compile a vi version (e.g. from GNU) where one deliberately disables the shell escape functionality (viz. some sort of restricted vi).

But before doing this I'm sure someone of you will come around with a more tangible solution.

Rgd.
Ralph

Re: Blocking shell escapes for sudoers

Tom Dineen_2 — Fri, 07 May 2004 10:13:56 GMT

if you want to run a single command, wonder if you can fire up secure shell running vi ?
maybe this will not work with sudoers ?

Re: Blocking shell escapes for sudoers

Jeff_Traigle — Fri, 07 May 2004 10:30:11 GMT

Hmmm... not sure why the DBAs would need to be munging around in the /etc/services file in the first place... as I recall from my previous job, it's not necessary (at least for the RDBMS).

That being said, however, the most secure way I can think of to handle this is create a small setuid C program wrapper around the commands they need to insert and remove from the file. Has two benefits that I see... 1.) keeps them from doing anything to the file other than what they really need to do and 2.) doesn't allow them access to a shell as root. Not difficult to do... small amount of code that should be fairly easy to find online. (Been a while since I needed anything like that and don't have it handy.)

Re: Blocking shell escapes for sudoers

curt larson_1 — Fri, 07 May 2004 11:32:34 GMT

have you thought of this:

they don't need to actually vi /etc/services. they only need to overwrite it.

all they need is read permissions to make a copy of the file and from there use vi to make their changes. then they can do a sudo to copy their changes to /etc/services.

Cmnd_alias CPSERVICES = /usr/bin/cp /home/dba/services /etc/services

this could get a bit tedious if you have quite a few config files to give access.

Re: Blocking shell escapes for sudoers

James A. Donovan — Fri, 07 May 2004 12:05:22 GMT

I faced a similar problem with sudo and created a short shell script called vin (vi 'no-shell'), and placed it in /usr/bin. I then gave sudo access to the appropriate people.

[morpheus|jdonovan]
$ cat /usr/bin/vin
SHELL=/bin/false
/usr/bin/vi $1

[morpheus|jdonovan]
$ ll /usr/bin/vin
-rwxr-xr-x 1 root sys 32 Mar 21 06:00 /usr/bin/vin

Re: Blocking shell escapes for sudoers

Charlie Rubeor — Fri, 07 May 2004 14:48:58 GMT

I have never had a need to do this, but can't you tell sudo to keep certain environment variables with the env_reset and env_keep parameters in the Defaults section of the sudoers file?

Setting env_reset to "on" and env_keep to "EXINIT" should preserve the EXINIT environment variable in the sudo-spawned process.

Re: Blocking shell escapes for sudoers

Ralph Grothe — Mon, 10 May 2004 02:21:36 GMT

Charlie,

I didn't know these env_(reset|keep) settings exist because the sudoer's manpage of my version of sudo doesn't mention them.
Having had a look at http://www.courtesan.com/ I soon discovered that in fact the release I am using is pretty dated.

# sudo -V|head -1
Sudo version 1.6.3p4

while 1.6.7 seems to be the current release.
And indeed the online manpage of sudoers mentions the env_* settings.

Therefore I think it would probably be the best to update to the new release.

Jim,

your solution most likely will also work, and looks pretty straight forward.

Curt,

of course, your solution looks even better as it avoids the use of vi altogether.

Jeff,

yet another way that will work,
but requires the extra work of writing a wrapper, though I'm convinced I could also write it in Perl (which knows all the required syscalls for that but is much easier than C to me).

Tom,

did you mean a restricted shell like HP-UX rsh (not to be confused with other Unices' remote shell)?

Re: Blocking shell escapes for sudoers

Steve Horvath — Wed, 13 Dec 2006 11:39:16 GMT

I know this thread is old, but it was still helpful for me (thanks guys) and will add how I applied it:

I have a situation where a handful operational tasks are required with root priviliges, so I wrote a menu driven script run under sudo. One task is editing a few config files, so I came accross this thread when googling "sudo vi shell escape" :) Based on Jim's suggestion above, I came up with the following (excerpt from my wrapper script):

HOLDER=$SHELL
SHELL=/bin/false
vi $CFG_FILE # shell esc no longer works
SHELL=$HOLDER
# to test: try vi $CFG_FILE here and esc works again

Cheers!

Re: Blocking shell escapes for sudoers

Heironimus — Wed, 13 Dec 2006 13:14:03 GMT

So what's going to stop people from doing things like ":e /etc/passwd" and ":w /etc/sudoers" from that vi session?