Using Sudo
By Tony Lawrence2005-05-12
Security
|
|
You might at this point suddenly think "Oh no- that means a sudo user could overwrite important files". We haven't limited the sudo users command set yet, but even if we do, what stops them from using such commands to pervert system files or other commands?
Well, remember that the shell does the redirection BEFORE sudo runs. If the redirection can't be done because of permissions, the command will fail.
[jim@lnxserve /tmp]$ sudo date > /etc/shadowSo that's one thing you don't need to worry about. Actually, sudo itself makes reasonable efforts to protect you from malicious michief by a sudo user. Running "sudo -V" as root shows sudo's settings; part of that is environment variables that it will not pass on or that it will check for dangerous content:
bash: /etc/shadow: Permission denied
[jim@lnxserve /tmp]$
Sudo version 1.6.4That's the default list; you can add or subtract from it in /etc/sudoers. Note that if you do add or subtract variables, "sudo -V" doesn't reflect those changes.
... (stuff deleted)
Environment variables to check for sanity:
LANGUAGE
LANG
LC_*
Environment variables to remove:
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
IFS
Let's try that out with our test user. First, we need a simple shell script that will show us the value of environment variables. I'll call it "showme":
We'll have "jim" try it out before making any changes to sudoers:
[jim@lnxserve jim]$ cat showmeThe ENV variable is not picked up by sudo even though it was marked for export. Ordinarily, environment variables would be passed:
set | grep $1
[jim@lnxserve jim]$ export ENV
[jim@lnxserve jim]$ ./showme ENV
BASH_ENV=/home/jim/.bashrc
[jim@lnxserve jim]$ sudo ./showme ENV
SUDO_COMMAND='./showme ENV'
[jim@lnxserve jim]$ export BOOP=bettyBut we can add to the list of variables to discard:
[jim@lnxserve jim]$ ./showme BOOP
BOOP=betty
[jim@lnxserve jim]$ sudo ./showme BOOP
BOOP=betty
SUDO_COMMAND='./showme BOOP'
[jim@lnxserve jim]$
# sudoers file.Note the "+=" to ADD to the environment list. If we had just used "=", that would have replaced all of sudo's defaults. You can also use "-=" to subtract a default variable and allow it to be passwd.
#
# This file MUST be edited with the 'visudo' command as root.
#
Defaults:jim timestamp_timeout=-1, env_delete+="BOOP"
Now "jim" won't get BOOP in his sudo environment.
[jim@lnxserve jim]$ sudo ./showme BOOPSudo also rearranges your PATH internally. That can be a little confusing:
SUDO_COMMAND='./showme BOOP'
[jim@lnxserve jim]$ cat ./showmeAlthough PATH still shows "." at the beginning, the showme in /bin is what is run by sudo. Internally sudo has ignored the leading "." and moved on to find "showme" in /home/jim/bin. Now let's remove the /home/jim/bin/showme:
echo "I'm in /home/jim"
set | grep $1
[jim@lnxserve jim]$ cat ./bin/showme
echo "I'm in /home/jim/bin"
set | grep $1
[jim@lnxserve jim]$ export PATH=".:$PATH"
[jim@lnxserve jim]$ showme PATH
I'm in /home/jim
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
[jim@lnxserve jim]$ sudo showme PATH
I'm in /home/jim/bin
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
SUDO_COMMAND='/home/jim/bin/showme PATH'
[jim@lnxserve jim]$
[jim@lnxserve jim]$ rm bin/showme
[jim@lnxserve jim]$ sudo showme PATH
sudo: ignoring `showme' found in '.'
Use `sudo ./showme' if this is the `showme' you wish to run.
[jim@lnxserve jim]$ sudo ./showme PATH
I'm in /home/jim
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
SUDO_COMMAND='./showme PATH'
[jim@lnxserve jim]$
Tutorial Pages:
» Using Sudo
» Logging
» Security
» Limiting Commands
© Copyright 2005 A.P. Lawrence
|
| Related Tutorials: » How to Install PHP 5 on Linux » How to Install Apache 2 on Linux » How to Install MySQL 5.0 on Linux » SMB Caching » Mound --Bind » Tar Wild Card Interpretation |