topic Re: sudoers in Operating System - Linux

sudoers

Ragni Singh — Wed, 01 Jun 2005 20:55:03 GMT

Check this out. A user created a section in the sudoers file. Since I am a very new sysadmin, can one please explain to me exactly what kind of access he will get once I add this section to our sudeors file. Will this give him high level authority to the production systems? especially the last section. What do !! mean before the command?

# Cmnd alias specification

Cmnd_Alias SYSTEMDOWN = /sbin/reboot, /usr/sbin/reboot, \

/sbin/halt, /sbin/poweroff, \

/sbin/shutdown, /sbin/init, /sbin/telinit

Cmnd_Alias SHELLS = /bin/sh, /bin/csh, /bin/ksh, \

/bin/tcsh, /usr/bin/rsh, \

/bin/zsh, /bin/ash, /bin/ash.static, \

/bin/bash, /bin/bash2, /bin/bsh,

Cmnd_Alias SU = /bin/su

# Defaults specification

# User privilege specification

testuser ALL=ALL,!SHELLS, !SYSTEMDOWN, !SU

Re: sudoers

Steven E. Protter — Wed, 01 Jun 2005 23:17:52 GMT

This section:

Looks to my untrained eye like the user can do anything he/she wants.

boot

Shutdown

This person is just a regular user?

SEP
Contact form that mail's me offline:
http://www.isnamerica.com/contactsep.shtml
If you use the form, please tell me why you are emailing!!

Re: sudoers

Stuart Browne — Wed, 01 Jun 2005 23:57:14 GMT

I take it as that user can't run (as root) any of the shutdown commands or shells.

in other words, the user can run other commands as root (that have been listed in sudoers already), EXCEPT those listed in SHELLS, SYSTEMDOWN or SU.

I don't see this as opening holes. I see it as closing a few if someone was doing dodgey sudoers.

But let me ask you this. Why does a user suddenly want you to add this, given that the machine has been running fine previously without it?

What reason did the user put forth for you to add such a line?

Re: sudoers

Ragni Singh — Thu, 02 Jun 2005 00:22:21 GMT

okay so here I go. This user works in developemnt and is a Linux expert. He has been fighting us to give him root access and so far I have been sucessful. I have been able to contain him by giving him sudo access to do work and if he needs more, I have done it for him.

Let me ask you this.. if you was a sysadmin and this user asks for sudo access as shown above, would you give it to him? I want to be polite and give him the access that he needs to do the work but I under no circumstance would like to give him any high level access. With the stuff above, wont he be able to sudo -s and inherit root? What exactly would he be able to do and what wont he be able to do?

Please give me some good explanation as I will assign good points to all that assist.

Re: sudoers

Gopi Sekar — Thu, 02 Jun 2005 04:20:34 GMT

It looks like you have a big security loop hole. here is what i gathered from man page of sudoers

SECURITY NOTES
It is generally not effective to "subtract" commands from ALL using the â !â operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS

Doesnâ t really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

I hope you have understood what kind of security risk you are in now. please remove the access to him and if he really wants the access then take it up to the management and get their approval beforing giving access to him. Tomorrow no body should blame you for something which you have not done.

Rega

Re: sudoers

Ragni Singh — Thu, 02 Jun 2005 09:28:36 GMT

Thanks, you get a BIG 10.