security risk on sudoers with shells

gabrielsousa · 10-19-2017, 01:04 PM

i'm denying all shells on sudoers
but, found an app/bin is like a exec/fork that using with sudo the user gain access to root , like this

$ sudo app_exec_fork /bin/bash

and gain access to root, its like i'm not denying the /bin/bash

any solution to this ?

gabrielsousa · 10-19-2017, 01:13 PM

and how we prevent ?

cp /bin/bash /opt/myprog && sudo /opt/myprog

Turbocapitalist · 10-19-2017, 02:02 PM

There's little risk if you use sudo correctly: It is for whitelisting programs and their options.

Can you explain a little more about what you are really trying to do?

gabrielsousa · 10-19-2017, 02:11 PM

my rules

Matching Defaults entries for adm-gsousa on host02:
!env_reset, !requiretty, !visiblepw, always_set_home

User adm-gsousa may run the following commands on host02:
(ALL) NOPASSWD: ALL, !/usr/bin/passwd root, !/bin/* /etc/sudoers*, !/bin/* * /etc/sudoers.d/*, !/usr/sbin/visudo, !/bin/su, !/sbin/runuser, !/bin/sh, !/bin/bash, !/bin/tcsh, !/bin/csh

i'm trying to deny the switch user to root

Turbocapitalist · 10-19-2017, 10:20 PM

Quote:

Originally Posted by gabrielsousa

i'm trying to deny the switch user to root

It does not work like that. You've already found the reason why blacklisting programs cannot work.

sudo works when you make a list of the few things you wish to allow an account to do as another user, usually root. Please check any of the three links above in that regard or refer to "man sudoers"

Which specific activities do you wish to allow the account "adm-gsousa" to do?

gabrielsousa · 10-20-2017, 04:03 AM

Quote:

Originally Posted by Turbocapitalist

It does not work like that. You've already found the reason why blacklisting programs cannot work.

sudo works when you make a list of the few things you wish to allow an account to do as another user, usually root. Please check any of the three links above in that regard or refer to "man sudoers"

Which specific activities do you wish to allow the account "adm-gsousa" to do?

administrator tasks

Turbocapitalist · 10-20-2017, 04:17 AM

Ok. Then list them program by program inside /etc/sudoers for that user. That's how sudo works.

For editors use sudoedit instead of launching an editor directly with sudo. Be sure to preface pagers (less, more, and so on) with NOEXEC to reduce the likelihood of shell escapes.

gabrielsousa · 10-20-2017, 09:21 AM

add this rules... i know that, there workaround... but

Matching Defaults entries for adm-gsousa on this host:
!env_reset, !requiretty, !visiblepw, always_set_home

User adm-gsousa may run the following commands on this host:
(ALL) NOPASSWD: ALL, (ALL) !/usr/bin/passwd root, !/bin/* /etc/sudoers*, !/bin/* * /etc/sudoers.d/*, !/usr/sbin/visudo, !/bin/su, !/sbin/runuser, !/bin/sh, !/bin/bash, !/bin/tcsh, !/bin/csh, !/bin/* /bin/bash *, !/bin/* /bin/sh *,
!/bin/* /bin/tcsh *, !/bin/* /bin/csh *, !/*/*/* /bin/bash, !/*/*/* /bin/tcsh, !/*/*/* /bin/csh, !/*/*/* /bin/sh, !/*/* /bin/bash, !/*/* /bin/tcsh, !/*/* /bin/csh, !/*/* /bin/sh, !/* /bin/bash, !/* /bin/tcsh, !/* /bin/csh, !/*
/bin/sh, !/*/*/*/* /bin/bash, !/*/*/*/* /bin/tcsh, !/*/*/*/* /bin/csh, !/*/*/*/* /bin/sh

Turbocapitalist · 10-20-2017, 09:41 AM

You misunderstand, it looks like. No commands or patterns for commands may be preceeded with a negation. None. Please review any of the three links provided above. You've already pointed out how to work around negations. Negations don't and can't work for commands.

For example,

Code:

cp /bin/sh ./foo
sudo foo

Don't list the programs you don't want them to run. List the programs you do want them to run: Make a list of the programs which the account is allowed to use and put that list in sudoers.