HPE Community
Operating System - HP-UX
1833875 Members
1586 Online
110063 Solutions
New Discussion

Blocking shell escapes for sudoers

 
SOLVED
Go to solution
Ralph Grothe
Honored Contributor

‎05-06-2004 11:26 PM

‎05-06-2004 11:26 PM

Blocking shell escapes for sudoers

Hi,

I need to grant some DBAs writeable editing of system config files (e.g. like /etc/services).

Since I don't like changing group membership of these files to dba, nor even assigning an ACL to them, I would like to put the vi command under sudo.

The catch is how to prevent the shell escape from vi, which would give sudoers a root shell.

Let alone for vi, this would be easy to disable by simply setting the escape shell explicitly.

e.g.

EXINIT="set shell=/usr/bin/false" /usr/bin/vi /etc/services

The problem with this approach is that sudo sees the supposed environment variable EXINIT as a sudo qualifier which it doesn't find a sudoers definition for.

Maybe one could compile a vi version (e.g. from GNU) where one deliberately disables the shell escape functionality (viz. some sort of restricted vi).

But before doing this I'm sure someone of you will come around with a more tangible solution.

Rgd.
Ralph
Madness, thy name is system administration
0 Kudos
Reply
8 REPLIES 8
Tom Dineen_2
Advisor

‎05-07-2004 03:13 AM

‎05-07-2004 03:13 AM

Re: Blocking shell escapes for sudoers

if you want to run a single command, wonder if you can fire up secure shell running vi ?
maybe this will not work with sudoers ?
0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎05-07-2004 03:30 AM

‎05-07-2004 03:30 AM

Solution

Re: Blocking shell escapes for sudoers

Hmmm... not sure why the DBAs would need to be munging around in the /etc/services file in the first place... as I recall from my previous job, it's not necessary (at least for the RDBMS).

That being said, however, the most secure way I can think of to handle this is create a small setuid C program wrapper around the commands they need to insert and remove from the file. Has two benefits that I see... 1.) keeps them from doing anything to the file other than what they really need to do and 2.) doesn't allow them access to a shell as root. Not difficult to do... small amount of code that should be fairly easy to find online. (Been a while since I needed anything like that and don't have it handy.)
--
Jeff Traigle
Reply
curt larson_1
Honored Contributor

‎05-07-2004 04:32 AM

‎05-07-2004 04:32 AM

Re: Blocking shell escapes for sudoers

have you thought of this:

they don't need to actually vi /etc/services. they only need to overwrite it.

all they need is read permissions to make a copy of the file and from there use vi to make their changes. then they can do a sudo to copy their changes to /etc/services.

Cmnd_alias CPSERVICES = /usr/bin/cp /home/dba/services /etc/services

this could get a bit tedious if you have quite a few config files to give access.
Reply
James A. Donovan
Honored Contributor

‎05-07-2004 05:05 AM

‎05-07-2004 05:05 AM

Re: Blocking shell escapes for sudoers

I faced a similar problem with sudo and created a short shell script called vin (vi 'no-shell'), and placed it in /usr/bin. I then gave sudo access to the appropriate people.

[morpheus|jdonovan]
$ cat /usr/bin/vin
SHELL=/bin/false
/usr/bin/vi $1

[morpheus|jdonovan]
$ ll /usr/bin/vin
-rwxr-xr-x 1 root sys 32 Mar 21 06:00 /usr/bin/vin
Remember, wherever you go, there you are...
Reply
Charlie Rubeor
Frequent Advisor

‎05-07-2004 07:48 AM

‎05-07-2004 07:48 AM

Re: Blocking shell escapes for sudoers

I have never had a need to do this, but can't you tell sudo to keep certain environment variables with the env_reset and env_keep parameters in the Defaults section of the sudoers file?

Setting env_reset to "on" and env_keep to "EXINIT" should preserve the EXINIT environment variable in the sudo-spawned process.

Reply
Ralph Grothe
Honored Contributor

‎05-09-2004 07:21 PM

‎05-09-2004 07:21 PM

Re: Blocking shell escapes for sudoers

Charlie,

I didn't know these env_(reset|keep) settings exist because the sudoer's manpage of my version of sudo doesn't mention them.
Having had a look at http://www.courtesan.com/ I soon discovered that in fact the release I am using is pretty dated.

# sudo -V|head -1
Sudo version 1.6.3p4

while 1.6.7 seems to be the current release.
And indeed the online manpage of sudoers mentions the env_* settings.

Therefore I think it would probably be the best to update to the new release.


Jim,

your solution most likely will also work, and looks pretty straight forward.


Curt,

of course, your solution looks even better as it avoids the use of vi altogether.


Jeff,

yet another way that will work,
but requires the extra work of writing a wrapper, though I'm convinced I could also write it in Perl (which knows all the required syscalls for that but is much easier than C to me).


Tom,

did you mean a restricted shell like HP-UX rsh (not to be confused with other Unices' remote shell)?
Madness, thy name is system administration
0 Kudos
Reply
Steve Horvath
Frequent Advisor

‎12-13-2006 03:39 AM

‎12-13-2006 03:39 AM

Re: Blocking shell escapes for sudoers

I know this thread is old, but it was still helpful for me (thanks guys) and will add how I applied it:

I have a situation where a handful operational tasks are required with root priviliges, so I wrote a menu driven script run under sudo. One task is editing a few config files, so I came accross this thread when googling "sudo vi shell escape" :) Based on Jim's suggestion above, I came up with the following (excerpt from my wrapper script):

HOLDER=$SHELL
SHELL=/bin/false
vi $CFG_FILE # shell esc no longer works
SHELL=$HOLDER
# to test: try vi $CFG_FILE here and esc works again

Cheers!
0 Kudos
Reply
Heironimus
Honored Contributor

‎12-13-2006 05:14 AM

‎12-13-2006 05:14 AM

Re: Blocking shell escapes for sudoers

So what's going to stop people from doing things like ":e /etc/passwd" and ":w /etc/sudoers" from that vi session?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.