Howto? limited, secure, interactive shell (with sudo on RHEL). Impossible?

QuantSuff · 08-09-2010, 04:48 PM

You don't have to tell me - I already know trying to do sudo in a chrooted environment is a bad idea.
But is it even possible? I don't have a choice.

Requirement:
A (commercial) inventorying script needs to interactively log in to a number of RHEL4 and RHEL5 servers and run these three commands

sudo /usr/sbin/lsof
sudo /usr/sbin/dmidecode
/sbin/ifconfig

We are not going to enable SELinux on all these servers.

Is there any other way to do this securely? would suid be better/worse than sudo?

I need to secure this as much as possible. rbash is trivially defeated: http://www.symantec.com/connect/arti...ing-unix-users

I tried to avoid manually building a chrooted environment by trying jailkit http://olivier.sessink.nl/jailkit but I couldn't get it to work.

So I guess my only option is to try to manually hack together a chroot. Any favorite cookbooks? Anyone do this supporting sudo?

Any suggestions?
Any suggestions on another approach?
Anybody gotten jailkit to work on RHEL/Centos to provide an interactive shell?

Thanks,
QuantSuff

unSpawn · 08-09-2010, 05:45 PM

Quote:

Originally Posted by QuantSuff

Any suggestions on another approach?

SNMP could provide the data as could Xinetd as could a CGI. Xinetd example:

Code:

# description: Xinetd output of 'lsof'. 
service lsof
{
        disable         = no
        type            = UNLISTED
        protocol        = tcp
        port            = 10000
        socket_type     = stream
        wait            = no
        user            = root
        log_on_failure  += HOST 
        server          = /usr/sbin/lsof
        server_args     = -P -w -n
        only_from       = 1.2.3.0/24
}

So if the inventory script isn't configurable wrt usable methods then the problem isn't getting the data but how the script demands input. IMHO.