- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Trusted VI on HP-UX?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2010 05:43 AM
тАО03-17-2010 05:43 AM
Importance: if sudo/rbac allows vi access to any file as root, a user can execute a root shell!
I was wondering if you had any workarounds?
Here's my hack:
file: trusted_vi
perms: root:sys/500
access: via sudo (and the sudo command can limit it by file as well!)
#!/usr/bin/ksh
umask 022
SHELL=/usr/bin/false
export SHELL
if [ -o $1 ] ; then
echo "ERROR: You must provide a file name"
exit 1
fi
file=$(echo "$1"|sed -e 's/[ ;,|\\\%\^\&\*\$\#\@\!]*//g')
if [ "$1" != "$file" ] ; then
echo "ERROR: NO SPECIAL CHARS ALLOWS IN FILE NAMES!!!"
echo "ERROR: Bad chars: (space|tab);,%^&\\\*\$\#\@\!"
echo "ERROR: you used: $1"
exit 1
fi
if [ ! -f $file ] ; then
echo "ERROR: $file does not exist!"
echo "ERROR: You must specify an existing file"
exit 1
fi
/usr/bin/vi $1
exit 0
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2010 07:36 AM
тАО03-17-2010 07:36 AM
Re: Trusted VI on HP-UX?
You can also use the sudo's noexec functionality to avoid shell escapes in general since other programs besides vi allow them. See sudoers man page for details of syntax.
Jeff Traigle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2010 11:35 PM
тАО03-17-2010 11:35 PM
Re: Trusted VI on HP-UX?
With setfilexsec -c
You can even prevent the user from forking a shell from within vi, and as such prevent anyone from executing any command from within your vi.
In HP-UX 11i v2, compartments was an add-on software. In HP-UX 11i v3, it is a standard functionality.
We use multiple compartments to limit unauthorized sysyem access, especially for applications that are reqchable from the internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2010 11:46 AM
тАО04-09-2010 11:46 AM
Re: Trusted VI on HP-UX?
Any other ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2010 11:54 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2010 11:56 AM
тАО04-09-2010 11:56 AM
Re: Trusted VI on HP-UX?
sudoedit testfile
Enter some garbage
:shell
whois at the shell prompt showed non-root user who invoked sudoedit
Jeff Traigle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2010 11:58 AM
тАО04-09-2010 11:58 AM
Re: Trusted VI on HP-UX?
Here's a session invoked by user caa4573. Note the shell escapes:
:!who am i
root pts/0 Apr 09 14:55 (10.17.198.127)
[Press return to continue]
:!whoami
caa4573
[Press return to continue]
:!rm -f /tmp/OUT;touch /tmp/OUT;ls -ld /tmp/OUT
rm: 0653-609 Cannot remove /tmp/OUT.
Operation not permitted.
touch: 0652-048 Cannot change the modification time on /tmp/OUT.
-rw-r--r-- 1 root system 35972 Apr 09 14:56 /tmp/OUT
so, as you can see, not only can they shell out as root, but affect the system as root.
The sudo command was: sudo -e /tmp/OUT
the sudo stanza: caa4573 ALL = sudoedit /tmp/OUT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2010 11:59 AM
тАО04-09-2010 11:59 AM
Re: Trusted VI on HP-UX?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2010 12:00 PM
тАО04-09-2010 12:00 PM
Re: Trusted VI on HP-UX?
thanks for the wasted cycles you spent on me. :)