Slackware-13.1-Hacks-Su/Sudo Hardening
Posted 03-07-2011 at 12:20 PM by arniekat
Su/Sudo Hardening Tutorial
In a default Slackware 13.1 installation, you create a root user with a root password. Normally, I create a regular user who is a member of the following groups: audio, cdrom, floppy, netdev, plugdev, power, users, video and wheel. The thought being that only members of the "wheel" group should be allowed to su (switch user) to root to do administrative work. Here's how it works:
bash-4.1$ su
Password: <root_password>
bash-4.1#
The trouble is, if you know the root password, you can su to root even if you are NOT a member of the wheel group! The reason is that the binary is executable by anyone. To fix this, we will do 2 things (be sure you have at least one user who is a member of the "wheel" group or you will not be able to su to root):
1. Remove the executable bit for "others"
2. Change the ownership of the binary to root:wheel
Here are the permissions before the modifications
# ls -al /bin
-rws--x--x 1 root root 56229 Feb 28 2010 su
The commands to make the modifications are:
# chmod o-x /bin/su
# chown root:wheel /bin/su
Here are the permissions after the modifications
bash-4.1# ls -al /bin/su
-rws--x--- 1 root wheel 56229 Feb 28 2010 /bin/su
After these changes, whenever anyone NOT in the group "wheel" tries to su to root, here is the response they will get:
bash-4.1$ su
Bash: /bin/su: Permission denied
SUAUTH FILE
Manpage - The file /etc/suauth is referenced whenever the su command is called. It can change the behaviour of the su command, based upon: 1) the user su is targeting 2) the user executing the su command (or any groups he might be a member of).
You may be wondering why we would need the /etc/suauth file if we changed the permissions above on the binary. The reason is to have defense-in-depth. Let's say someone starts out as an unprivileged user (non "wheel" group member) trying to get root privileges, they would have to get past the permissions of the binary and the limiting /etc/suauth file, so these are two things the cracker would need to overcome. It makes their work more difficult.
NOTE - The file /etc/suauth does not exist in the default Slackware 13.1 install. It must be created.
The manual method of creating it is as follows:
# touch /etc/suauth
# chown root:wheel /etc/suauth
# chmod 0440 /etc/suauth
# vi /etc/suauth
Add the following line to the file /etc/suauth, close and save the file.
root:ALL EXCEPT GROUP wheelENY
The next section is a script that will create the /etc/suauth file.
#!/bin/sh
# Restricting Root Access To Members Of The "Wheel"
# Group. This is the BSD Way Of Doing Things
# Format "to-id: from-ID: ACTION"
cat << END_SUAUTH >> /etc/suauth
# Format "to-id: from-ID: ACTION"
# A couple of privileged users may su to root
# with their own password
# root:username1,username2:OWNPASS
# Anyone else may not su to root unless
# they are a member of the "wheel" group
root:ALL EXCEPT GROUP wheelENY
END_SUAUTH
chown root:wheel /etc/suauth
chmod 0440 /etc/suauth
After these changes, whenever anyone NOT in the group "wheel" tries to su to root, here is the response they will get:
bash-4.1$ su
Bash: Access to su to that account DENIED.
You are not authorized to su root
bash-4.1$
SUDO
Sudo allows you to execute commands using other accounts, including the root account. It is used to do administrative work. It runs the command and returns you to your non-root shell. The benefit of sudo is that it leaves an audit-trail by logging all the commands that were run to the log file /var/log/secure
By default, sudo requires users to authenticate themselves using their own password, not the root password. You can do administrative work without ever using the root account and password. Once a user has been authenticated, a time stamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers).
To edit the file /etc/sudoers, use the command visudo. The visudo command is a version of vi that checks the sudoers file for errors so you don't accidentally lock yourself out of being able to run sudo.
# visudo
Uncomment the following line in the file /etc/sudoers to allow only members of the "wheel" group to run sudo.
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
Save the file and exit.
Some things to keep in mind regrading sudo is that if someone has the password of an adminstrator account (someone in the wheel group), then they can run commands as root. Make sure the adminstrator account passwords are good passwords.
Do not use the NOPASSWD directive, since this allows anyone with access to the administrator account to run commands as root without entering any password. Not a good thing.
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
In a default Slackware 13.1 installation, you create a root user with a root password. Normally, I create a regular user who is a member of the following groups: audio, cdrom, floppy, netdev, plugdev, power, users, video and wheel. The thought being that only members of the "wheel" group should be allowed to su (switch user) to root to do administrative work. Here's how it works:
bash-4.1$ su
Password: <root_password>
bash-4.1#
The trouble is, if you know the root password, you can su to root even if you are NOT a member of the wheel group! The reason is that the binary is executable by anyone. To fix this, we will do 2 things (be sure you have at least one user who is a member of the "wheel" group or you will not be able to su to root):
1. Remove the executable bit for "others"
2. Change the ownership of the binary to root:wheel
Here are the permissions before the modifications
# ls -al /bin
-rws--x--x 1 root root 56229 Feb 28 2010 su
The commands to make the modifications are:
# chmod o-x /bin/su
# chown root:wheel /bin/su
Here are the permissions after the modifications
bash-4.1# ls -al /bin/su
-rws--x--- 1 root wheel 56229 Feb 28 2010 /bin/su
After these changes, whenever anyone NOT in the group "wheel" tries to su to root, here is the response they will get:
bash-4.1$ su
Bash: /bin/su: Permission denied
SUAUTH FILE
Manpage - The file /etc/suauth is referenced whenever the su command is called. It can change the behaviour of the su command, based upon: 1) the user su is targeting 2) the user executing the su command (or any groups he might be a member of).
You may be wondering why we would need the /etc/suauth file if we changed the permissions above on the binary. The reason is to have defense-in-depth. Let's say someone starts out as an unprivileged user (non "wheel" group member) trying to get root privileges, they would have to get past the permissions of the binary and the limiting /etc/suauth file, so these are two things the cracker would need to overcome. It makes their work more difficult.
NOTE - The file /etc/suauth does not exist in the default Slackware 13.1 install. It must be created.
The manual method of creating it is as follows:
# touch /etc/suauth
# chown root:wheel /etc/suauth
# chmod 0440 /etc/suauth
# vi /etc/suauth
Add the following line to the file /etc/suauth, close and save the file.
root:ALL EXCEPT GROUP wheelENY
The next section is a script that will create the /etc/suauth file.
#!/bin/sh
# Restricting Root Access To Members Of The "Wheel"
# Group. This is the BSD Way Of Doing Things
# Format "to-id: from-ID: ACTION"
cat << END_SUAUTH >> /etc/suauth
# Format "to-id: from-ID: ACTION"
# A couple of privileged users may su to root
# with their own password
# root:username1,username2:OWNPASS
# Anyone else may not su to root unless
# they are a member of the "wheel" group
root:ALL EXCEPT GROUP wheelENY
END_SUAUTH
chown root:wheel /etc/suauth
chmod 0440 /etc/suauth
After these changes, whenever anyone NOT in the group "wheel" tries to su to root, here is the response they will get:
bash-4.1$ su
Bash: Access to su to that account DENIED.
You are not authorized to su root
bash-4.1$
SUDO
Sudo allows you to execute commands using other accounts, including the root account. It is used to do administrative work. It runs the command and returns you to your non-root shell. The benefit of sudo is that it leaves an audit-trail by logging all the commands that were run to the log file /var/log/secure
By default, sudo requires users to authenticate themselves using their own password, not the root password. You can do administrative work without ever using the root account and password. Once a user has been authenticated, a time stamp is updated and the user may then use sudo without a password for a short period of time (5 minutes unless overridden in sudoers).
To edit the file /etc/sudoers, use the command visudo. The visudo command is a version of vi that checks the sudoers file for errors so you don't accidentally lock yourself out of being able to run sudo.
# visudo
Uncomment the following line in the file /etc/sudoers to allow only members of the "wheel" group to run sudo.
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
Save the file and exit.
Some things to keep in mind regrading sudo is that if someone has the password of an adminstrator account (someone in the wheel group), then they can run commands as root. Make sure the adminstrator account passwords are good passwords.
Do not use the NOPASSWD directive, since this allows anyone with access to the administrator account to run commands as root without entering any password. Not a good thing.
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
Total Comments 1
Comments
-
root:ALL EXCEPT GROUP wheel : DENY
Posted 04-26-2011 at 10:56 PM by _sge