LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-17-2017, 08:53 AM   #31
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148

Quote:
Originally Posted by rknichols View Post
Once you start any shell, that shell can do anything it could normally do, including running any other program or shell. And, if you block all shells, all the user needs to do is run "sudo vi", and from within vi type ":shell". Presto -- a root shell appears!
well that little SOB. then its have to have username all = !/bin/vi or whatever to block him from doing that too, then on and on it goes, as you state here.

Quote:
Originally Posted by rknichols View Post
The same can be done from many other programs that have shell escapes. You would need to discover and block them all, and blocking all editors (for example) would probably not be acceptable. If you've allowed sudo access to the cp command, it's easy to copy /bin/bash to another name and invoke that. You are trying to make a sieve leakproof, and there is just no way to make this one hold water.
just do not do this with someone that is a thinker then it might work.

like you kind of said, all you got a do is copy the sudoers file edit it then copy it back over top of the original one. Or any other conf file one wants to edit.

do your damage then copy back over the sudoer file turning it back to the "orginal" one so it covers your steps even. Because that user would still have "basic" sudo rights to work on the system side where root priv are needed. copy (cp) move (mv) then needs to be taken away.


what was he trying to do again? block sudo -i and the sudo -s ... then one has to ask themselves can I trust this person that I am giving sudo rights to? if no then why bother giving him sudo rights? That'd be the only way around it.

if you have to then get a logger something like snoopy to log everything that can be logged that the user does just to keep an eye on him.

Last edited by BW-userx; 02-17-2017 at 09:08 AM.
 
Old 02-17-2017, 09:14 AM   #32
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
Quote:
Originally Posted by Turbocapitalist View Post
Code:
$ sudo bash
[sudo] password for BW-userx: 
Sorry, user BW-userx is not allowed to execute '/bin/bash' as root on server.lan.
$ cp /bin/bash /tmp/woot
$ sudo /tmp/woot
[sudo] password for BW-userx: 
# whoami
root
#
yeah now that I am putting thought to it I am figuring out ways to get around things. Like I modded in my post prior to this one.
Code:
sudo 
password
cp /etc/sudoer ~/
edit file giving himself everything again
mv ~/sudoer /etc/
do whatever damage he wants then change sudoers back before he leaves. more steps but that too can be done. not that I am going to try that on my system and maybe lock me out where I got a reboot and mount my system from somewhere else to fix it.

Last edited by BW-userx; 02-17-2017 at 09:17 AM.
 
Old 02-17-2017, 10:16 AM   #33
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 16,275

Rep: Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463Reputation: 5463
Quote:
Originally Posted by gbcbooks View Post
they edit crontab to execute xterm as root on a specific display and they will have root access without audit.
yes, but , once root has operations, accounting system will record , and we will know
no, you misunderstood. You can audit this activity (creation of crontab entry), but you cannot audit the commands executed in the xterm window started from crontab.

If they can have [blacklisted] sudo right they can create another setuid executable, name it as they wish - just should not be listed on the blacklist - and they will have full access, without audit.

You still do not understand, you cannot blacklist everything and they always can create something not listed.
 
Old 02-17-2017, 10:38 AM   #34
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
Quote:
Originally Posted by pan64 View Post
no, you misunderstood. You can audit this activity (creation of crontab entry), but you cannot audit the commands executed in the xterm window started from crontab.

If they can have [blacklisted] sudo right they can create another setuid executable, name it as they wish - just should not be listed on the blacklist - and they will have full access, without audit.

You still do not understand, you cannot blacklist everything and they always can create something not listed.
to add just a little to what is said here. (correct me if I am in error of my thinking)

because that user has a level of root rights (privileges) no matter how minute that allow him to work on the system side that requires same said privileges.
 
Old 02-18-2017, 10:18 PM   #35
Luridis
Member
 
Registered: Mar 2014
Location: Texas
Distribution: LFS 9.0 Custom, Merged Usr, Linux 4.19.x
Posts: 616

Rep: Reputation: 167Reputation: 167
I don't know how to do what you're asking, but I've seen some stuff to help you out in the options category.

For preventing certain types of commands: http://makeitcompliant.blogspot.com/...root-user.html

As for the program itself... There are some build options that help lock out things.

--disable-root-sudo - sudo can't be run by uid0.
--disable-noargs-shell - sudo must have args.
--with-pam-login - creates a specific pam session for sudo -i.
 
Old 02-18-2017, 10:28 PM   #36
Luridis
Member
 
Registered: Mar 2014
Location: Texas
Distribution: LFS 9.0 Custom, Merged Usr, Linux 4.19.x
Posts: 616

Rep: Reputation: 167Reputation: 167
Oops... There is one more thing I can think of. Assuming you're forcing /etc/profile and /etc/bashrc then one of the two will always be run in the case of sudo -i or -s. Sudo sets some environment vars when it's run, it's how I trap and unset root history saving in sudo.

Code:
if [ "${SUDO_USER}" ] ; then
    # search for interactives
fi
That might be way of scripting it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo: /etc/sudoers is world writable in Linux Server deva420patra Linux - Server 2 02-06-2017 07:53 AM
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 03:48 PM
sudo cd /root gives 'sudo: cd: command not found'. stf92 Linux - Newbie 4 03-03-2012 09:05 AM
(Sudo) command can't run by sudo rahilmaknojia Linux - Server 8 06-25-2010 09:30 AM
LXer: Quick how-to sudoers file (sudo command) LXer Syndicated Linux News 0 11-25-2007 01:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration