Bad Sudo


How to avoid giving users more access to the system than they need

Sudo allows admins to give users permissions to perform actions as other users, primarily the root user. Normally when you give a user sudo you limit the commands that they can run as to not give any user full control over your system. If you use any of the default examples for sudo that can be found all over the internet and in the sample configs, you may be giving users more access to the system than you realize. This permission creep is due to the fact that some commands allow you to execute other commands or spawn shells, and these commands and shells are spawned with the context of the root user, some common examples are text editors, more, less and find.

Sudo image 1
Figure: What a quick sudo configuration for the user saurabh may look like, ALL=(ALL:ALL) and the commands he has sudo permissions to run.
Sudo Image 2
Figure: The user saurabh spawning a shell using the :sh command from in vi which produces a shell with root permissions.
Sudo Image 3
Figure: Using the exec option of find to spawn a root shell when a file is found.

There are ways to prevent this kind of behavior from happening, such as using NOEXEC option in the /etc/sudoers file. The NOEXEC option prevents some binaries from executing other programs, the limitation to the NOEXEC option is that is doesn’t work on statically linked executables or executables that use binary emulation.

Sudo Image 4
Figure: Changing the (ALL:ALL) to NOEXEC: for the user saurabh.
Sudo Image 5
Figure: The same commands fail this time around since they are not allowed to run commands.

A cleaner way to allow users to edit files with the use of sudo is the sudoedit command. The sudoedit command allows for users to edit a file with their favorite text editor and the sudo permissions. A user sets their text editor path as the $SUDO_EDITOR variable. This allows admins to only add one new line to the sudoers file instead of one for each text editor on the system or only using one text editor that users may not be able to use which could cause accidental or unintended file modification.

Also of note if you use the sudoedit command the noexec option is not needed since when you run commands from the editor the commands are run as the original user and not the elevated user, typically root.

Sudo Image 6
Figure: The adjusted /etc/sudoers file which removes the use of specific text editors and uses the sudoedit command.
Sudo Image 7
Figure: Attempts to execute /bin/bash from sudoedit failwith multiple text editors (which are modified by changing the SUDO_EDITOR variable.

About The Author:

Stephen Hall is a Security Consultant at Security Compass. He has spoken at several conferences including DerbyCon, BSidesTO, and Hack3rcon. Stephen is co-author of the Yasuo tool and is @Logicalsec on Twitter.

Share this article on Linkedin



Previous Article
Reblog: (ISC)2 CSSLP and Security Compass Training
Reblog: (ISC)2 CSSLP and Security Compass Training

Source: Simoneonsecurity Author: Simone Curzi — The author of this Blog, Simone Curzi, has been a Senior Co...

Next Article
Battle School: RSA 2015
Battle School: RSA 2015

You will never influence the world by trying to be like it. The core of our culture is to be different — to...