LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Blogs > arniekat
User Name
Password

Notices

Rate this Entry

Slackware-13.1-Hacks-Su/Sudo Hardening

Posted 03-07-2011 at 12:20 PM by arniekat

Su/Sudo Hardening Tutorial

In a default Slackware 13.1 installation, you create a root user with a root password. Normally, I create a regular user who is a member of the following groups: audio, cdrom, floppy, netdev, plugdev, power, users, video and wheel. The thought being that only members of the "wheel" group should be allowed to su (switch user) to root to do administrative work. Here's how it works:

bash-4.1$ su
Password: <root_password>
bash-4.1#

The trouble is, if you know the root password, you can su to root even if you are NOT a member of the wheel group! The reason is that the binary is executable by anyone. To fix this, we will do 2 things (be sure you have at least one user who is a member of the "wheel" group or you will not be able to su to root):

1. Remove the executable bit for "others"
2. Change the ownership of the binary to root:wheel

Here are the permissions before the modifications

# ls -al /bin
-rws--x--x 1 root root 56229 Feb 28 2010 su

The commands to make the modifications are:

# chmod o-x /bin/su
# chown root:wheel /bin/su

Here are the permissions after the modifications

bash-4.1# ls -al /bin/su
-rws--x--- 1 root wheel 56229 Feb 28 2010 /bin/su

After these changes, whenever anyone NOT in the group "wheel" tries to su to root, here is the response they will get:

bash-4.1$ su
Bash: /bin/su: Permission denied

SUAUTH FILE

Manpage - The file /etc/suauth is referenced whenever the su command is called. It can change the behaviour of the su command, based upon: 1) the user su is targeting 2) the user executing the su command (or any groups he might be a member of).

You may be wondering why we would need the /etc/suauth file if we changed the permissions above on the binary. The reason is to have defense-in-depth. Let's say someone starts out as an unprivileged user (non "wheel" group member) trying to get root privileges, they would have to get past the permissions of the binary and the limiting /etc/suauth file, so these are two things the cracker would need to overcome. It makes their work more difficult.

NOTE - The file /etc/suauth does not exist in the default Slackware 13.1 install. It must be created.

The manual method of creating it is as follows:

# touch /etc/suauth
# chown root:wheel /etc/suauth
# chmod 0440 /etc/suauth
# vi /etc/suauth

Add the following line to the file /etc/suauth, close and save the file.

root:ALL EXCEPT GROUP wheelENY

The next section is a script that will create the /etc/suauth file.

#!/bin/sh
# Restricting Root Access To Members Of The "Wheel"
# Group. This is the BSD Way Of Doing Things
# Format "to-id: from-ID: ACTION"
cat << END_SUAUTH >> /etc/suauth
# Format "to-id: from-ID: ACTION"
# A couple of privileged users may su to root
# with their own password
# root:username1,username2:OWNPASS
# Anyone else may not su to root unless
# they are a member of the "wheel" group
root:ALL EXCEPT GROUP wheelENY
END_SUAUTH
chown root:wheel /etc/suauth
chmod 0440 /etc/suauth

After these changes, whenever anyone NOT in the group "wheel" tries to su to root, here is the response they will get:

bash-4.1$ su
Bash: Access to su to that account DENIED.
You are not authorized to su root
bash-4.1$

SUDO

Sudo allows you to execute commands using other accounts, including the root account. It is used to do administrative work. It runs the command and returns you to your non-root shell. The benefit of sudo is that it leaves an audit-trail by logging all the commands that were run to the log file /var/log/secure

By default, sudo requires users to authenticate themselves using their own password, not the root password. You can do administrative work without ever using the root account and password. Once a user has been authenticated, a time stamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers).

To edit the file /etc/sudoers, use the command visudo. The visudo command is a version of vi that checks the sudoers file for errors so you don't accidentally lock yourself out of being able to run sudo.

# visudo

Uncomment the following line in the file /etc/sudoers to allow only members of the "wheel" group to run sudo.

# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL

Save the file and exit.

Some things to keep in mind regrading sudo is that if someone has the password of an adminstrator account (someone in the wheel group), then they can run commands as root. Make sure the adminstrator account passwords are good passwords.

Do not use the NOPASSWD directive, since this allows anyone with access to the administrator account to run commands as root without entering any password. Not a good thing.

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
Posted in Uncategorized
Views 4539 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    root:ALL EXCEPT GROUP wheel : DENY
    Posted 04-26-2011 at 10:56 PM by _sge _sge is offline
 

  



All times are GMT -5. The time now is 10:03 PM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration