LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-21-2013, 12:59 PM   #16
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,044

Rep: Reputation: 521Reputation: 521Reputation: 521Reputation: 521Reputation: 521Reputation: 521

You also have a problem with shell metacharacters.

consider your "sudo chmod <arbitrary file>"...

What if that arbitrary file is/or contains '`rm -rf /`'.....

When that gets evaluated it will be reprocessed... with privileges.
 
Old 02-21-2013, 01:26 PM   #17
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,241

Rep: Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475
Quote:
Originally Posted by jpollard View Post
You also have a problem with shell metacharacters.

consider your "sudo chmod <arbitrary file>"...

What if that arbitrary file is/or contains '`rm -rf /`'.....When that gets evaluated it will be reprocessed... with privileges.
It *COULD*...but again, if the shell script is written to look for/reject such things, it will kick out and die. You've got control of what goes in, and how it's tested.

And there are no perfect solutions to anything like this. There will ALWAYS be holes, as long as there are users. At least in this case, they can only run one shell script, and since it's preceded by sudo, the exact string/command will be logged. If someone does something wrong, it'll be VERY easy to spot, which will be a deterrent. And, if that user can't be trusted with sudo rights, they shouldn't be able to run anything as sudo. There's also a bit of security-through-obfuscation, since the user won't know what's in that shell script, what it looks for/logs, or how it works. Just that it DOES.
 
Old 02-21-2013, 07:06 PM   #18
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,044

Rep: Reputation: 521Reputation: 521Reputation: 521Reputation: 521Reputation: 521Reputation: 521
None of that is relevant if the user account gets compromised.

BTW, it is nearly impossible to get a shell script to validate strings properly...

Last edited by jpollard; 02-21-2013 at 07:08 PM.
 
Old 02-22-2013, 08:55 AM   #19
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,241

Rep: Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475Reputation: 2475
Quote:
Originally Posted by jpollard View Post
None of that is relevant if the user account gets compromised.

BTW, it is nearly impossible to get a shell script to validate strings properly...
Right. Again, this isn't a perfect solution, just the simplest for what the user needs to do.

As far as I know, there ARE no perfect solutions to security, other than locking your computer in a bank-vault, that only YOU can open, and never connecting it to a network or running any software that you, yourself didn't write.

And if a user account gets compromised, you have problems anyway, no matter which account it is.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] After modifying /etc/sudoers file, new users can not run specified commands mansour Linux - Newbie 15 04-13-2011 11:04 AM
[SOLVED] Can't chmod /etc/sudoers file cola Linux Mint 2 05-22-2010 05:13 AM
chmod 775 to only the directories and chmod 664 to only the files? apachenew Linux - Security 6 09-27-2007 03:26 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
How to copy one file in all users directories aizkorri Programming 1 09-02-2002 07:32 AM


All times are GMT -5. The time now is 08:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration