topic Re: Sudo Problems in Operating System - HP-UX

Sudo Problems

Daniel Crow — Tue, 09 Oct 2001 19:04:31 GMT

I was going about some sudo file maintanence this evening and found that if a user were to have sudo privliges to chmod or chown they could simply change their access or anyones access in the sudoers file simply by modifying their rights to the file. Does anyone have a solution for this?

I could put it on an nfs drive and mount it as read only but that seems so cumbersome. There has to be a more viable solution.

I know giving chmod / own rights to a user is a bad thing but it is necessary in this case. I guess giving them rights to chmod or chown at all gives them pretty much free run of the machines they are on. Maybe this is a no win situation.

Re: Sudo Problems

harry d brown jr — Tue, 09 Oct 2001 19:11:24 GMT

especially if they did this:

cp /usr/bin/ksh myksh
chown root bin myksh
chmod 4777 myksh

then they could always have a "root" user, without sudo!

Re: Sudo Problems

Santosh Nair_1 — Tue, 09 Oct 2001 19:15:47 GMT

If you really think about it, there really is not way to secure something like sudo...there has to be some amount of trust.

For example, there is nothing that prevents a user from doing something like the following:

cp /bin/ksh /tmp/myksh
chown root:root /tmp/myksh
sudo chmod 4555 /tmp/myksh

and now I have a ksh that has root privs.

The only other alternative is to write a suid program (not a script) that only does a specific thing, such as a chown, but even then you'd have to do so many checks that you're probably going to give up in frustration. :-)

-Santosh

Re: Sudo Problems

Kevin Wright — Tue, 09 Oct 2001 20:43:56 GMT

I am not sure why I can't get it to work in this case, but for instance, to give users perms to change other users passwords and NOT roots, you do this..
users passwd, !passwd root

but
users chown, !chown /opt/sudo
does not seem to work.

This is the only way I know of to restrict what sudo commands do.