HPE Community
Operating System - HP-UX
1822550 Members
2970 Online
109642 Solutions
New Discussion юеВ

Re: sudo security issue with vi, more commands

 
Deepak.R
Frequent Advisor

тАО07-18-2005 11:43 AM

тАО07-18-2005 11:43 AM

sudo security issue with vi, more commands

Hi Gurus,

I use sudo for controlled access in HP boxes and have given access of more and vi commands to users. Now when I run, for example,

$/usr/bin/sudo /usr/bin/more filename

from more , I can escape to shell ( ! ) and this shell would be a root shell and I can execute whatever from there and this is a BIG security loophole and want to close it.

I can not stop access to these command as well.

Pls tell me if there is any workaround for this.

thanks
deepak
0 Kudos
Reply
11 REPLIES 11
vinod_25
Valued Contributor

тАО07-18-2005 12:03 PM

тАО07-18-2005 12:03 PM

Re: sudo security issue with vi, more commands

hi deepak

Make the suid script act as the restricted shell for this user. You can do this by setting the /etc/passwd entry for this user not a shell, such as /sbin/sh, but instead as the name of the script, /usr/contrib/bin/rapp_menu.

Note: The r before app_menu signals a restricted shell.

The effect then is that the script runs as root, but the usercannot suspend the script and drop to a root subshell. When the script is complete, the user is automatically logged off.

Hope this sprays some light to ur query

Regards

Vinod K
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО07-18-2005 12:06 PM

тАО07-18-2005 12:06 PM

Re: sudo security issue with vi, more commands

You have not configured sudo to be restrictive. You do NOT give vi (and a LOT of other commands like rm, chmod, etc) to casual users. You don't need to run vi at all. Just type: sudo sh and you now have your root shell. TAKE AWAY EVERYTHING, then start by giving them something simple like the lpsched and lpshut command and if the user is trustworthy and properly trained, you might give them the lpadmin command. You MUST have a list of allowable commands for each user, not ALL=ALL in your sudoers file.

So here's how you close it. No one gets sudo access until you create a list of commands, and in some cases, the only allowable parameters. For instance, you can allow mount and umount but only if the 1st parameter is the device file for the CDROM drive.

Better yet, NO ordinary user gets a shell prompt. Instead, they get a menu that they cannot escape. The menu has a list of commands the user can run.


Bill Hassell, sysadmin
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО07-18-2005 01:59 PM

тАО07-18-2005 01:59 PM

Re: sudo security issue with vi, more commands

If you are having that type of problem with giving access via sudo, it might be time take another look at how your have your system set up.

If there are a lot of users that need access to some files, then you need to look at group permissions for the file and those users. The same thing applies whether you are talking about vi or more.

There is really no good reason I can thing of for normal users to have root access to run more or vi.
0 Kudos
Reply
Gopi Sekar
Honored Contributor

тАО07-18-2005 03:09 PM

тАО07-18-2005 03:09 PM

Re: sudo security issue with vi, more commands


I think sudo is not your friend in this situation. I would go with other member's suggestion of user/group permission. List out all the users who has to access a particular file, add them to a particular group and give that group write access to the file.

As far as I know you only need read permission for a file to use more, so try to give group read permission to use with more.

Regards,
Gopi
Never Never Never Giveup
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

тАО07-18-2005 06:17 PM

тАО07-18-2005 06:17 PM

Re: sudo security issue with vi, more commands

Bill,

thank You!

I think You're the first sudo user I ever meet actually configuring it :)
At times will people show me sudo, being very happy about the increased security it provides them.
Until I ask them to type 'sudo passwd root', that is. After that I ask them to read the documentation and properly use it....
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО07-18-2005 06:27 PM

тАО07-18-2005 06:27 PM

Re: sudo security issue with vi, more commands

sudo gives the keys to the computer to anyone in the sudoers file, so like any security policy, I only give certain keys to certain users. For workstation users, they can type sudo mount /cdrom and sudo umount /cdrom, but everything else fails (and both success and failure are looged in syslog). sudo is an excellent tool but a when thought out, sudoers will be a very big file with lots of entries to constrain the users.


Bill Hassell, sysadmin
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

тАО07-18-2005 06:33 PM

тАО07-18-2005 06:33 PM

Re: sudo security issue with vi, more commands

...which is a shared disadvantage with HP-UX/Solaris RBAC, unfortunately.

Sometimes the policy management of Windows/AIX seems much more beautiful, if it weren't even worse ;)
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО07-19-2005 06:25 PM

тАО07-19-2005 06:25 PM

Re: sudo security issue with vi, more commands

Deepak,

If you want to lock down vi and more (this is not perfect), create a .exrc file, or set the shell variable $EXINIT, and set the shell to "nologin". This should prevent the user from shell'ing out of either command.

Example:
set shell=/bin/nologin
set exrc=noexrc

chmod 550 ~/.exrc
0 Kudos
Reply
Elif Gius
Valued Contributor

тАО07-20-2005 11:12 PM

тАО07-20-2005 11:12 PM

Re: sudo security issue with vi, more commands

We had the same problem.
Be also careful with the command "pg".

So we changed that the user is only allowed to view files via the command cat.
That works!
0 Kudos
Reply
Rick Garland
Honored Contributor

тАО07-21-2005 12:03 AM

тАО07-21-2005 12:03 AM

Re: sudo security issue with vi, more commands

Here is a sudoers entry that solved a lot of problems for unauthourized access

Note the ! characters for the root acces.


%baradm ALL=NOPASSWD:SU,!/usr/bin/su *root*,!/usr/bin/su "", \
!/usr/bin/su -,!RLOGIN,READ,DV,KILL,PRINTING,FIND,ADMINS
0 Kudos
Reply
Rodney Hills
Honored Contributor

тАО07-21-2005 12:09 AM

тАО07-21-2005 12:09 AM

Re: sudo security issue with vi, more commands

If these files are you need to "vi" or "more" are normally not available to users, and you are using "sudo" to access them, then take a look at group permissions.

If group permissions won't solve the problem, then if you get the newest version of "sudo", it has the ability to run as any user (not just root). That way you can give permission to the file without giving away the whole store.

HTH

-- Rod Hills
There be dragons...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.