Using Sudo
By Tony Lawrence2005-05-12
Security
Well, remember that the shell does the redirection BEFORE sudo runs. If the redirection can't be done because of permissions, the command will fail.
[jim@lnxserve /tmp]$ sudo date > /etc/shadowSo that's one thing you don't need to worry about. Actually, sudo itself makes reasonable efforts to protect you from malicious michief by a sudo user. Running "sudo -V" as root shows sudo's settings; part of that is environment variables that it will not pass on or that it will check for dangerous content:
bash: /etc/shadow: Permission denied
[jim@lnxserve /tmp]$
Sudo version 1.6.4That's the default list; you can add or subtract from it in /etc/sudoers. Note that if you do add or subtract variables, "sudo -V" doesn't reflect those changes.
... (stuff deleted)
Environment variables to check for sanity:
LANGUAGE
LANG
LC_*
Environment variables to remove:
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
IFS
Let's try that out with our test user. First, we need a simple shell script that will show us the value of environment variables. I'll call it "showme":
We'll have "jim" try it out before making any changes to sudoers:
[jim@lnxserve jim]$ cat showmeThe ENV variable is not picked up by sudo even though it was marked for export. Ordinarily, environment variables would be passed:
set | grep $1
[jim@lnxserve jim]$ export ENV
[jim@lnxserve jim]$ ./showme ENV
BASH_ENV=/home/jim/.bashrc
[jim@lnxserve jim]$ sudo ./showme ENV
SUDO_COMMAND='./showme ENV'
[jim@lnxserve jim]$ export BOOP=bettyBut we can add to the list of variables to discard:
[jim@lnxserve jim]$ ./showme BOOP
BOOP=betty
[jim@lnxserve jim]$ sudo ./showme BOOP
BOOP=betty
SUDO_COMMAND='./showme BOOP'
[jim@lnxserve jim]$
# sudoers file.Note the "+=" to ADD to the environment list. If we had just used "=", that would have replaced all of sudo's defaults. You can also use "-=" to subtract a default variable and allow it to be passwd.
#
# This file MUST be edited with the 'visudo' command as root.
#
Defaults:jim timestamp_timeout=-1, env_delete+="BOOP"
Now "jim" won't get BOOP in his sudo environment.
[jim@lnxserve jim]$ sudo ./showme BOOPSudo also rearranges your PATH internally. That can be a little confusing:
SUDO_COMMAND='./showme BOOP'
[jim@lnxserve jim]$ cat ./showmeAlthough PATH still shows "." at the beginning, the showme in /bin is what is run by sudo. Internally sudo has ignored the leading "." and moved on to find "showme" in /home/jim/bin. Now let's remove the /home/jim/bin/showme:
echo "I'm in /home/jim"
set | grep $1
[jim@lnxserve jim]$ cat ./bin/showme
echo "I'm in /home/jim/bin"
set | grep $1
[jim@lnxserve jim]$ export PATH=".:$PATH"
[jim@lnxserve jim]$ showme PATH
I'm in /home/jim
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
[jim@lnxserve jim]$ sudo showme PATH
I'm in /home/jim/bin
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
SUDO_COMMAND='/home/jim/bin/showme PATH'
[jim@lnxserve jim]$
[jim@lnxserve jim]$ rm bin/showme
[jim@lnxserve jim]$ sudo showme PATH
sudo: ignoring `showme' found in '.'
Use `sudo ./showme' if this is the `showme' you wish to run.
[jim@lnxserve jim]$ sudo ./showme PATH
I'm in /home/jim
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jim/bin
SUDO_COMMAND='./showme PATH'
[jim@lnxserve jim]$
Tutorial pages:
|
© Copyright 2005 A.P. Lawrence
|
|||||||||
You might also want to check these out:
|
Leave a Comment on "Using Sudo"
You must be logged in to post a comment.
Link to This Tutorial Page!
