LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-15-2013, 04:32 AM   #1
r0tty
LQ Newbie
 
Registered: May 2011
Posts: 21

Rep: Reputation: 0
echo "${SUDO_PASSWORD}" | ssh sudo -S command


Hi,

I'm just trying to work out how insecure this is?

I want to write a script that will use SSH to call sudo on a remote machine. I have SSH keys set-up so that I do not need to enter a password to issue commands on my (non-root) account on the remote machine. The script uses 'read -s SUDO_PASSWORD' to get the sudo password - so it's not hard-coded anywhere or written to command history.

So, my question is about how insecure is it to use this within the script:

echo "${SUDO_PASSWORD}" | ssh ${REMOTE_MACHINE} "sudo -S sh -c id"

NB: 'id' is only an example command - in the script this would be a variable.

I presume that 'echo' is a built-in so it won't show up in 'ps' command output on the local machine. Everything happening on the remote machine is via SSH so I presume that is secure (in this case 'secure' means secure enough - it is always possible to argue things are not 100% secure in my experience). Finally the password is present in memory as $SUDO_PASSWORD on the local machine, but I presume that is reasonably secure from anyone unless they already have root access?

Incidentally I did solve the problem another way - by using 'expect' to inject the password when prompted. This works fine, and is probably what I will use as it has slightly less of the security concerns mentioned above. It still has some though and I'm interested to know what the security issues are with the 'echo | ssh sudo' solution.

Thanks in advance for any assistance with this.

Rotty

Last edited by r0tty; 01-15-2013 at 04:34 AM.
 
Old 01-15-2013, 07:24 AM   #2
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 870
Blog Entries: 2

Rep: Reputation: 219Reputation: 219Reputation: 219
In this variant you give the password direct to sudo without an intermediate script and then call sudo a 2nd time (relying on the sudo cache - assumimg you use default settings) to execute your payload. That keeps the password out of a shell variable so I suggest this is a minor improvement.

Code:
echo "${SUDO_PASSWORD}" | ssh ${REMOTE_MACHINE} "sudo -S id && sudo command"
There is also the NOPASSWD option that could be applied to the relevant command in the sudoers file.
 
Old 01-16-2013, 01:37 PM   #3
mina86
Member
 
Registered: Aug 2008
Distribution: Slackware
Posts: 412

Rep: Reputation: 172Reputation: 172
Quote:
Originally Posted by r0tty View Post
I'm just trying to work out how insecure this is?
For one, you give out your password to anyone who has access to the machine you are running this on.

I'd recommend using a setuid wrapper that runs a shell script that does what you need. Here's how you do that:
Code:
$ mkdir -m700 ~/foobar
$ cat >foobar.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define HOME "/home/you" /* change this accordingly */

int main(void) {
	if (setuid(0)) {
		perror("setuid");
	} else {
		execl("/bin/sh", HOME "/foobar/foobar.sh", (const char*)0);
		perror("exec: /bin/sh");
	}
	return EXIT_FAILURE;
}
< press ctrl+d >
$ cat >foobar.sh
#!/bin/sh
: write your command here
< press ctrl+d >
$ gcc -o foobar foobar.c
$ sudo chown root:users foobar foobar.sh
$ sudo chmod 4750 foobar
$ sudo chmod 700 foobar.sh
With that, your command on local machine will be:
Code:
ssh "$remote" foobar/foobar
But NOPASSWD suggested by linosaurusroot is also an option so choose whichever you prefer.

Quote:
Originally Posted by linosaurusroot View Post
That keeps the password out of a shell variable so I suggest this is a minor improvement.
Uh? Could you elaborate cause your explanation makes no sense to me.

Last edited by mina86; 01-16-2013 at 01:42 PM. Reason: Typo.
 
1 members found this post helpful.
Old 01-17-2013, 06:01 AM   #4
r0tty
LQ Newbie
 
Registered: May 2011
Posts: 21

Original Poster
Rep: Reputation: 0
@mina86 - thanks for the reply.

Quote:
Originally Posted by mina86 View Post
For one, you give out your password to anyone who has access to the machine you are running this on.
How would they do that though? If I am signed on as a normal user and run that command I don't see where is shows up for a another normal user. Because echo is a built-in they cannot see it in the output from ps (even if it did they would only see the command not the args). They won't have access to /procs. Even if a user with root privilege can do it I would be very interested to know how.

The setuid C program is not an option as part of the idea of this is to do remote admin, so any variety of commands could be entered. Also, the 'NOPASSWD' option in sudoers is not an option - I want to have the requirement to enter a password in case someone with sudo access leaves a terminal session unguarded.

@linosaurusroot - I didn't really understand either, but I think I may have made my question too complicated. I extracted the command example from my script so that the question wasn't too long, but I should have tidied up more. The actual command I am using is this:

Code:
echo "${SUDO_PASSWORD}" | ssh -o StrictHostKeyChecking=no ${1} "sudo -Sp '' sh -c '${2}'"
The reason for "sh -c '${2}'" is that if ${2} is "whoami; whoami" it should return "root" twice, but without the "sh -c" it would give "root" and then "rotty", because the second command wouldn't run as root. I don't think using another shell makes it any less secure - if someone get the password from one, then they can get it from them all, I would think.

Rotty
 
Old 01-17-2013, 08:37 AM   #5
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 870
Blog Entries: 2

Rep: Reputation: 219Reputation: 219Reputation: 219
Quote:
Originally Posted by r0tty View Post
I don't think using another shell makes it any less secure - if someone get the password from one, then they can get it from them all, I would think.
When you have read the password into a shell variable to use it with sudo it may be available via a debugger or /proc to another process run with the same UID and may not be wiped when you have finished with it. Because sudo is setuid and carefully programmed these risks do not exist if you get the password directly into sudo with no shell involved.

Of course Unix doesn't do a lot to help you if you are being attacked from the same UID.
 
1 members found this post helpful.
Old 01-18-2013, 04:25 AM   #6
mina86
Member
 
Registered: Aug 2008
Distribution: Slackware
Posts: 412

Rep: Reputation: 172Reputation: 172
Quote:
Originally Posted by r0tty View Post
Because echo is a built-in they cannot see it in the output from ps
Right, that's true and you might get away with this.

Quote:
Originally Posted by r0tty View Post
(even if it did they would only see the command not the args).
That's not true. ps shows the whole command. Even if it doesn't there's “/proc/self/cmdline” which has the whole command line.

Quote:
Originally Posted by r0tty View Post
The setuid C program is not an option as part of the idea of this is to do remote admin, so any variety of commands could be entered.
The setuid program can be rewritten to allow arbitrary command, but yeah, than you'll just reimplement sudo.

Quote:
Originally Posted by linosaurusroot
When you have read the password into a shell variable to use it with sudo it may be available via a debugger or /proc to another process run with the same UID
The first part is irrelevant (since it's true any time you enter password anywhere) and the second is not true if the variable is not exported.

Quote:
Originally Posted by linosaurusroot
and may not be wiped when you have finished with it.
“unset SUDO_PASSWORD” after the line in question should solve the problem.

However, why don't you just do something like:
Code:
ssh $1 sudo sh -c "$2"
and let the remote sudo prompt for password. This has additional advantage of leaving stdin intact.
 
1 members found this post helpful.
Old 01-18-2013, 06:59 AM   #7
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 870
Blog Entries: 2

Rep: Reputation: 219Reputation: 219Reputation: 219
Quote:
Originally Posted by mina86 View Post
The first part is irrelevant (since it's true any time you enter password anywhere) and the second is not true if the variable is not exported.
Unprivileged processes won't be able to attach to sudo because setuid. Processes with the same UID as this user can attach to his shell.


Quote:
“unset SUDO_PASSWORD” after the line in question should solve the problem.
That's not going to wipe the memory like a securely-written program would - to protect against copying of the memory.
http://etutorials.org/Programming/se...mory+Securely/
 
1 members found this post helpful.
Old 01-18-2013, 07:26 AM   #8
r0tty
LQ Newbie
 
Registered: May 2011
Posts: 21

Original Poster
Rep: Reputation: 0
@mina86

You're right about other users seeing the args. But, as you said, using a built-in may mitigate this.

I can't just use the simple command you suggest as the whole point of this exercise is to run a command against multiple servers. So, I will be on my local machine and run "myscript servera,serverb,serverc,etc mycommand" and it will prompt for a password once and then inject it into the remote command when necessary.

@linosaurusroot

I can't find much to suggest bash* isn't written securely. The fact that bash provides 'read -s' must mean that the authors were aware they were getting themselves into the realm of handling secure data. I guess the key question is - how would someone extract the password from the memory I'm using when I'm running the script (running as a non-root user, possibly the same user).

* just to be clear - /bin/sh is a link to /bin/bash on all servers here.

Rotty

PS, just wanted to say thanks to you guys for contributing responses to this. You've prompted me to think more about how a shell handles memory and found this interesting http://security.stackexchange.com/qu...ility-in-linux. I think my current thinking is that my script is 'secure enough', but that users should be made aware that 'root' and their own user account could be used to steal their password.

Last edited by r0tty; 01-18-2013 at 07:57 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] "Command not found" for all but pwd and echo, PATH is empty ManiacBlaster Linux - Newbie 5 03-01-2011 12:45 PM
When I type "sudo grub" it says "command not found" in Ubuntu 10.10 poumtatalia Linux - Newbie 5 09-14-2010 06:21 PM
[SOLVED] When I type "sudo grub" it says "command not found" in Ubuntu 9.10 Live CD. msbstar Linux - Newbie 7 01-30-2010 12:05 PM
Command logging ideas needed! ssh user@host "echo logme" ZiGz Linux - Security 6 04-15-2009 03:08 AM
echo "hahaha" | sudo tee /root/reallyimportantstuff crispyleif Linux - Security 7 01-24-2009 12:51 PM


All times are GMT -5. The time now is 05:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration