1745819 Members
4039 Online
108722 Solutions
New Discussion юеВ

Re: Trusted VI on HP-UX?

 
SOLVED
Go to solution
chisle
Advisor

Trusted VI on HP-UX?

On other OS flavors, there is a /usr/bin/tvi command that can be used to prohibit 'vi' users from executing a shell from within vi.

Importance: if sudo/rbac allows vi access to any file as root, a user can execute a root shell!

I was wondering if you had any workarounds?

Here's my hack:
file: trusted_vi
perms: root:sys/500
access: via sudo (and the sudo command can limit it by file as well!)

#!/usr/bin/ksh
umask 022
SHELL=/usr/bin/false
export SHELL

if [ -o $1 ] ; then
echo "ERROR: You must provide a file name"
exit 1
fi

file=$(echo "$1"|sed -e 's/[ ;,|\\\%\^\&\*\$\#\@\!]*//g')

if [ "$1" != "$file" ] ; then
echo "ERROR: NO SPECIAL CHARS ALLOWS IN FILE NAMES!!!"
echo "ERROR: Bad chars: (space|tab);,%^&\\\*\$\#\@\!"
echo "ERROR: you used: $1"
exit 1
fi
if [ ! -f $file ] ; then
echo "ERROR: $file does not exist!"
echo "ERROR: You must specify an existing file"
exit 1
fi
/usr/bin/vi $1
exit 0

8 REPLIES 8
Jeff_Traigle
Honored Contributor

Re: Trusted VI on HP-UX?

See sudoedit portion of the sudo man page for a possible solution.

You can also use the sudo's noexec functionality to avoid shell escapes in general since other programs besides vi allow them. See sudoers man page for details of syntax.
--
Jeff Traigle
Wim Rombauts
Honored Contributor

Re: Trusted VI on HP-UX?

Another slution would be to initialize compartments on your system (cmpt_tune -e, needs a reboot unfortunately), make a copy of the vi binary to whatever name you like, create a compartment (like /etc/cmpt/vi.rules) which restricts access & permissions for executables in this compartment.
With setfilexsec -c , you can assign your vi-copy to this comparment. From that point on, anyone running this copy of vi will have limited system access. Even if it is root.
You can even prevent the user from forking a shell from within vi, and as such prevent anyone from executing any command from within your vi.

In HP-UX 11i v2, compartments was an add-on software. In HP-UX 11i v3, it is a standard functionality.

We use multiple compartments to limit unauthorized sysyem access, especially for applications that are reqchable from the internet.
chisle
Advisor

Re: Trusted VI on HP-UX?

Since we don't use AI64, that option doesn't work. Also, I tested the sudoedit function, and it still allows an escape to shell as root....

Any other ideas?
Jeff_Traigle
Honored Contributor
Solution

Re: Trusted VI on HP-UX?

Yes, sudoedit allows shell escape, but the person is not escaped into a root shell.
--
Jeff Traigle
Jeff_Traigle
Honored Contributor

Re: Trusted VI on HP-UX?

At least in the quick test I just did that appears to be the case...

sudoedit testfile
Enter some garbage
:shell
whois at the shell prompt showed non-root user who invoked sudoedit
--
Jeff Traigle
chisle
Advisor

Re: Trusted VI on HP-UX?

I guess I'll have to go back to remedial reading of the sudoers file, because I cannot make it restricted. :|

Here's a session invoked by user caa4573. Note the shell escapes:

:!who am i
root pts/0 Apr 09 14:55 (10.17.198.127)
[Press return to continue]
:!whoami
caa4573
[Press return to continue]
:!rm -f /tmp/OUT;touch /tmp/OUT;ls -ld /tmp/OUT
rm: 0653-609 Cannot remove /tmp/OUT.
Operation not permitted.
touch: 0652-048 Cannot change the modification time on /tmp/OUT.
-rw-r--r-- 1 root system 35972 Apr 09 14:56 /tmp/OUT


so, as you can see, not only can they shell out as root, but affect the system as root.

The sudo command was: sudo -e /tmp/OUT

the sudo stanza: caa4573 ALL = sudoedit /tmp/OUT
chisle
Advisor

Re: Trusted VI on HP-UX?

Never mind...I see my problem. :)
chisle
Advisor

Re: Trusted VI on HP-UX?

The solution was to read more carefully the screen output that verified the suggested approach.

thanks for the wasted cycles you spent on me. :)