Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all, new to the forums and look forward to working with you all.
Have a question regarding the sudoedit command and best practices. I noticed that giving a user sudo rights to run vi is generally a bad thing as said user could break out of vi into a root shell. (ugly indeed). Thought sudoedit was my answer, but noticed that has it's own potential issues. If I specify the full path to sudoedit it does not work, I just get "Sorry, user xxx is not allowed to execute 'sudoedit /etc/hosts' as root on <servername>" Also, if I use sudo <path to sudoedit> <path to file to edit> it fails as well. If I simply specify sudoedit (with no path)in the sudoers file, it allows user to edit the file, cannot break out to root shell, but it does not prevent the user from creating a script in his HomeDir called sudoedit, and running it, through sudo, as root. (and putting something like /bin/su - in the file called "sudoedit") Anyone have any ideas to get around this? Is it just the ver of sudo? currently running sudo-1.6.9p17-3.
LQ has a fantastic search function that may save you time waiting for an answer to a popular question.
With over 3 million posts to search it's possible the answer has been given.
I attack this from a different direction, I think.
To be fair, This is a single user machine, with just glenn and root logins.
But when I set up the /etc/sudoers file as root (su -p), I Uncomment the wheel lines...
/etc/sudoers
Code:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL
# Samples
%users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
%users localhost=/sbin/shutdown -h now
once this is saved, I add myself (glenn) to the wheel group. (or vis-a-vis)
Restart the system, and I now have root access with sudo,
But as far as I am aware, nobody but root and the wheel group can access any system files. Unless they know the root password.
Please correct me if I missed something.
Regards Glenn
Last edited by GlennsPref; 01-28-2010 at 07:05 PM.
Reason: Unless they know the root password
Of course is important to scope which files the user is allowed to sudoedit. Letting them sudoedit any file is tantamount to giving full root access.
However, there does seem to be a hole as you point out, because the line can also be interpreted as allowing any file called sudoedit to be run as root...
@Glenn. Yeah I don't want to give "wheel" as that will give the user root. I wanted to use sudoedit as an alternative to giving the users sudo to the vi command. If the user runs vi as root (through sudo) he can break out of vi to root's shell. (i.e. by using :sh in vi) so when sudoedit is used and the user tries to break out to a shell, it reverts back to their account.
@neo. Yes I agree that a path should be specified to the actual file you want the user to use sudoedit on as it would open up all the files for them to edit. (bad indeed as they could technically use sudoedit on the /etc/sudoers file). But even with a <path to file to edit> defined it was not immune to the creation of a file called sudoedit and running it through sudo. see below.
OK, so even with the specification of a path after the sudoedit command i could run sudoedit, with sudo and have it run my new "sudoedit" script and simply put /bun/su - in it:
slouching ALL = sudoedit /etc/hosts
that worked and would not allow me to break out to a root shell. However when I created my one "sudoedit" I could run it through sudo and become root:
sudo ./sudoedit /etc/hosts
So within my new sudoedit file in my home dir it basically just echoed "test" and then ran /bin/su -. This made me root on the box.
What i determined was that version I was using had this issue (sudo-1.6.9p17-3 also tested on 1.6.9p17-5) but when a colleague of mine tested an earlier version (sudo-1.6.8p12-12.el5) it worked as advertised. When he attempted to run sudo ./sudoedit (again my sudoedit script that would su to root) With this earlier version, however it did not let him run my "sudoedit" and instead printed usage message:
so even with the specification of a path after the sudoedit command i could run sudoedit, with sudo and have it run my new "sudoedit" script
Yes, I had tried this already yesterday and submitted a bug report. If I hear nothing from upstream, I will submit a bug report to Debian, since they are using 1.6.9 in the stable distro. Thanks.
==EDIT==
Have submitted the same bug report to Debian.
Last edited by neonsignal; 01-29-2010 at 06:59 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.