LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2017, 10:17 AM   #16
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656Reputation: 1656

Quote:
i know backlisting way to deny user
Quote:
when we change the sudo policy from backlisting
Fwiw, it is "blacklisting" not backlisting. Correct spelling will help when you are searching for information.
 
Old 02-14-2017, 01:12 PM   #17
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Do you know there is auditing built into sudo? You can use that with your staff as the first phase.
 
Old 02-14-2017, 01:32 PM   #18
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,538

Rep: Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078
There is no practical way to do blacklisting with sudo. You would not only have to block "sudo -i" and all shells, but also any command that has a shell escape (like just about all editors), as well as any command that might invoke a command that has a shell escape. It's so insecure that sudo has no support for it.
 
Old 02-14-2017, 01:33 PM   #19
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by pan64 View Post
Ok, you are right too. Just look at the man page of sudo:
Code:
  sudo, sudoedit — execute a command as another user
And actually the main goal is (here) not to be root, but execute something as not myself.
The command is literally short for SuperUser DO, Also: https://www.sudo.ws/readme.html

Quote:
The sudo philosophy
===================
Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity. The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.

Last edited by r3sistance; 02-14-2017 at 01:41 PM.
 
Old 02-14-2017, 04:48 PM   #20
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Sudo: you're doing it wrong - PDF @ 171 pages.
Sudo: you're doing it wrong - YouTubeVid @ 1h:11m

Just sayin'.
 
Old 02-15-2017, 12:48 AM   #21
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,274

Rep: Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463
Quote:
Originally Posted by r3sistance View Post
The command is literally short for SuperUser DO, Also: https://www.sudo.ws/readme.html
(ok, let's have a fight)

sudo is coming from su + do, (so the command su existed and was used to develop sudo which has additional features - not only su, but do something immediately).
And now we can check man su:
Code:
 su - run a command with substitute user and group ID
in short - if you want - set user, but it was never SuperUser: su already accepted a username.

but actually this discussion is out of scope here, so we need to open a new thread about the history of sudo if you wish.
 
Old 02-15-2017, 04:26 AM   #22
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 217Reputation: 217Reputation: 217
Quote:
Originally Posted by pan64 View Post
(ok, let's have a fight)

sudo is coming from su + do, (so the command su existed and was used to develop sudo which has additional features - not only su, but do something immediately).
And now we can check man su:
Code:
 su - run a command with substitute user and group ID
in short - if you want - set user, but it was never SuperUser: su already accepted a username.

but actually this discussion is out of scope here, so we need to open a new thread about the history of sudo if you wish.
true it is off-topic now, I'd say the name of SU changed, Old unix code apparently shows it was called super-user. https://pthree.org/2009/12/31/the-meaning-of-su/ tho this is referring to the 5th edition and su does appear likely to have come from the 1st edition. So perhaps it even meant something different before then?

Still sometimes it is worth a discussion on the history of things, it helps us understand how things evolved and in terms of security that is always good, I think. More so this thread is rife with some old sudo abuse from the 1st post... some real abuse of it. I think we can both agree that it is best to limit down and then explicity allow rather than explicity deny in the context of sudo!
 
Old 02-15-2017, 09:00 AM   #23
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
per this page

It looks like no use of su - can now be used by a username I suppose rules applied one can change it to a group name too.
Code:
# Allow guestx user to remote poweroff
guestx ALL=(ALL) !ALL
guestx ALL=NOPASSWD: /sbin/poweroff

Translation: disallow all commands, then allow only the desired command (without asking for password in this case).

With this configuration sudo asks for the password and then fails for commands other than the whitelisted one:

guestx@ds:~$ sudo su -
Password: 
Sorry, user guestx is not allowed to execute '/bin/su -' as root on ds.
guestx@ds:~$
I have not tried it to see if this also apples to the sudo -s/ sudo -i commands

I'd look into this further per sudo man page
Code:
  Set to the login name of the target user when the -i
                      option is specified, when the set_logname option is
                      enabled in sudoers or when the env_reset option is
                      enabled in sudoers (unless LOGNAME is present in the
                      env_keep list).

Last edited by BW-userx; 02-15-2017 at 09:40 AM.
 
Old 02-17-2017, 01:29 AM   #24
gbcbooks
Member
 
Registered: Aug 2014
Posts: 192

Original Poster
Rep: Reputation: Disabled
hi guys

i figure out a solution and it is a little complicated , thought , it helps me to prohibit restricted user to execute "sudo -i / sudo -s /sudo su "to promote as root right.

of course , it still has bugs and user can escape from the auditing, but once user escape our security setting, like :

ln -s /bin/su ~/rootme
sudo ~/rootme

our accounting system will start to work , all user's operation will be record and audit, so that we can locate the responsibility of the risk operations.
 
Old 02-17-2017, 02:24 AM   #25
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,274

Rep: Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463
not really. for example: they edit crontab to execute xterm as root on a specific display and they will have root access without audit. but obviously this is not a good example.
 
Old 02-17-2017, 02:55 AM   #26
gbcbooks
Member
 
Registered: Aug 2014
Posts: 192

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by pan64 View Post
not really. for example: they edit crontab to execute xterm as root on a specific display and they will have root access without audit. but obviously this is not a good example.
yes, but , once root has operations, accounting system will record , and we will know
 
Old 02-17-2017, 03:33 AM   #27
gbcbooks
Member
 
Registered: Aug 2014
Posts: 192

Original Poster
Rep: Reputation: Disabled
as my habit , i used to execute sudo iptables -nvL --line-number , not all users like to use -nvL, and --line-number, may be i just use sudo iptables -L to list all rule in filter table .

Cmnd_Alias should have a way to express all circumstance with element -nvL --line-number , in that way, i can define a expression to match all possibles
 
Old 02-17-2017, 07:44 AM   #28
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
Quote:
Originally Posted by rknichols View Post
There is no practical way to do blacklisting with sudo. You would not only have to block "sudo -i" and all shells, but also any command that has a shell escape (like just about all editors), as well as any command that might invoke a command that has a shell escape. It's so insecure that sudo has no support for it.
forgive me if I am tossing in a wrench, but does not one need at lease one shell for the CLI. sh or something? therefore block every other shell but sh.

so forget about how to formulate the !sudo -i something like this untested bit
Code:
GROUP or user    ALL = !/usr/bin/bash, !/bin/bash, !/bin/dash, !/bin/whatevershell
to block the user or group from being able to use any of the other shells. therefore, one should only be able to use sh (or whatever shell is provided) but when they try to change shells it is now blocked by the Not ! and path leading to the executable for the other shell(s).

but I maybe getting the term shell mixed up as one can invoke another shell within a shell, within a shell and again and again like in a bash script. would that be the same in what is being spoke of in here relating to gaining or getting into "different" shell, which makes no sense to my brain at this moment.

sh to bash to dash to whatever else all within the same terminal emulator makes sense to my brain though. which that should block ..

Last edited by BW-userx; 02-17-2017 at 08:45 AM.
 
Old 02-17-2017, 08:44 AM   #29
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,538

Rep: Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078Reputation: 2078
Once you start any shell, that shell can do anything it could normally do, including running any other program or shell. And, if you block all shells, all the user needs to do is run "sudo vi", and from within vi type ":shell". Presto -- a root shell appears! The same can be done from many other programs that have shell escapes. You would need to discover and block them all, and blocking all editors (for example) would probably not be acceptable. If you've allowed sudo access to the cp command, it's easy to copy /bin/bash to another name and invoke that. You are trying to make a sieve leakproof, and there is just no way to make this one hold water.
 
Old 02-17-2017, 08:49 AM   #30
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Code:
$ sudo bash
[sudo] password for BW-userx: 
Sorry, user BW-userx is not allowed to execute '/bin/bash' as root on server.lan.
$ cp /bin/bash /tmp/woot
$ sudo /tmp/woot
[sudo] password for BW-userx: 
# whoami
root
#
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo: /etc/sudoers is world writable in Linux Server deva420patra Linux - Server 2 02-06-2017 07:53 AM
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 03:48 PM
sudo cd /root gives 'sudo: cd: command not found'. stf92 Linux - Newbie 4 03-03-2012 09:05 AM
(Sudo) command can't run by sudo rahilmaknojia Linux - Server 8 06-25-2010 09:30 AM
LXer: Quick how-to sudoers file (sudo command) LXer Syndicated Linux News 0 11-25-2007 01:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration