LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-28-2010, 03:44 PM   #1
slouching
LQ Newbie
 
Registered: Jan 2010
Posts: 3

Rep: Reputation: 3
The use of sudoedit command question


Hi all, new to the forums and look forward to working with you all.

Have a question regarding the sudoedit command and best practices. I noticed that giving a user sudo rights to run vi is generally a bad thing as said user could break out of vi into a root shell. (ugly indeed). Thought sudoedit was my answer, but noticed that has it's own potential issues. If I specify the full path to sudoedit it does not work, I just get "Sorry, user xxx is not allowed to execute 'sudoedit /etc/hosts' as root on <servername>" Also, if I use sudo <path to sudoedit> <path to file to edit> it fails as well. If I simply specify sudoedit (with no path)in the sudoers file, it allows user to edit the file, cannot break out to root shell, but it does not prevent the user from creating a script in his HomeDir called sudoedit, and running it, through sudo, as root. (and putting something like /bin/su - in the file called "sudoedit") Anyone have any ideas to get around this? Is it just the ver of sudo? currently running sudo-1.6.9p17-3.

Thanks
 
Old 01-28-2010, 07:04 PM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 3 million posts to search it's possible the answer has been given.


I attack this from a different direction, I think.

To be fair, This is a single user machine, with just glenn and root logins.

But when I set up the /etc/sudoers file as root (su -p), I Uncomment the wheel lines...

/etc/sudoers
Code:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root	ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
%wheel	ALL=(ALL) ALL

# Same thing without a password
%wheel	ALL=(ALL) NOPASSWD: ALL

# Samples
%users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
%users  localhost=/sbin/shutdown -h now
once this is saved, I add myself (glenn) to the wheel group. (or vis-a-vis)

Restart the system, and I now have root access with sudo,

But as far as I am aware, nobody but root and the wheel group can access any system files. Unless they know the root password.

Please correct me if I missed something.

Regards Glenn

Last edited by GlennsPref; 01-28-2010 at 07:05 PM. Reason: Unless they know the root password
 
Old 01-28-2010, 07:33 PM   #3
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Wheezy (Fluxbox WM)
Posts: 1,363
Blog Entries: 52

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
The string 'sudoedit' is supposed to be treated as a special case, so you don't provide the path.

Code:
slouching ALL=NOPASSWD: sudoedit /etc/network/interfaces
Of course is important to scope which files the user is allowed to sudoedit. Letting them sudoedit any file is tantamount to giving full root access.

However, there does seem to be a hole as you point out, because the line can also be interpreted as allowing any file called sudoedit to be run as root...
 
Old 01-28-2010, 08:03 PM   #4
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Mageia Studio-13.37 Kubuntu.
Posts: 3,325
Blog Entries: 33

Rep: Reputation: 199Reputation: 199
I guess my setup means that if my user account is breached, it's wide open.

I'm going to have to rethink my approach, ease of access is not everything.

I also use msec to keep close watch on file permissions and changes.

So far, so good.

I don't access my system remotely, maybe that's my saviour.

cheers, Glenn
 
Old 01-29-2010, 04:14 PM   #5
slouching
LQ Newbie
 
Registered: Jan 2010
Posts: 3

Original Poster
Rep: Reputation: 3
Thanks for the feedback.

@Glenn. Yeah I don't want to give "wheel" as that will give the user root. I wanted to use sudoedit as an alternative to giving the users sudo to the vi command. If the user runs vi as root (through sudo) he can break out of vi to root's shell. (i.e. by using :sh in vi) so when sudoedit is used and the user tries to break out to a shell, it reverts back to their account.

@neo. Yes I agree that a path should be specified to the actual file you want the user to use sudoedit on as it would open up all the files for them to edit. (bad indeed as they could technically use sudoedit on the /etc/sudoers file). But even with a <path to file to edit> defined it was not immune to the creation of a file called sudoedit and running it through sudo. see below.

OK, so even with the specification of a path after the sudoedit command i could run sudoedit, with sudo and have it run my new "sudoedit" script and simply put /bun/su - in it:

slouching ALL = sudoedit /etc/hosts

that worked and would not allow me to break out to a root shell. However when I created my one "sudoedit" I could run it through sudo and become root:

sudo ./sudoedit /etc/hosts

So within my new sudoedit file in my home dir it basically just echoed "test" and then ran /bin/su -. This made me root on the box.

What i determined was that version I was using had this issue (sudo-1.6.9p17-3 also tested on 1.6.9p17-5) but when a colleague of mine tested an earlier version (sudo-1.6.8p12-12.el5) it worked as advertised. When he attempted to run sudo ./sudoedit (again my sudoedit script that would su to root) With this earlier version, however it did not let him run my "sudoedit" and instead printed usage message:

usage: sudoedit [-HPSb] [-p prompt] [-u username|#uid] file [...]

So it looks like the newer version of sudo I had running has a nasty sudoedit issue.

Thanks
 
Old 01-29-2010, 06:27 PM   #6
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Wheezy (Fluxbox WM)
Posts: 1,363
Blog Entries: 52

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
Quote:
so even with the specification of a path after the sudoedit command i could run sudoedit, with sudo and have it run my new "sudoedit" script
Yes, I had tried this already yesterday and submitted a bug report. If I hear nothing from upstream, I will submit a bug report to Debian, since they are using 1.6.9 in the stable distro. Thanks.

==EDIT==
Have submitted the same bug report to Debian.

Last edited by neonsignal; 01-29-2010 at 06:59 PM.
 
Old 02-23-2010, 07:30 PM   #7
neonsignal
Senior Member
 
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Wheezy (Fluxbox WM)
Posts: 1,363
Blog Entries: 52

Rep: Reputation: 353Reputation: 353Reputation: 353Reputation: 353
The problem has been fixed in the new stable version 1.7.2p4 of sudoedit.

-- edit --

Patches have also been propagated through Debian, RedHat, and Ubuntu.

Last edited by neonsignal; 03-02-2010 at 04:16 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MV command question. swamprat Linux - Newbie 4 04-23-2008 07:56 PM
Let users to shutdown via sudoedit ? Xeratul Linux - General 8 02-11-2007 11:49 AM
Command Question Siki Linux - General 3 07-29-2003 03:34 PM
Command Question gauge73 Linux - Newbie 2 02-13-2003 08:18 PM
ls -al command question Stingreen Linux - Networking 5 02-14-2002 11:32 AM


All times are GMT -5. The time now is 05:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration