[clue] sudoers Cmnd_Alias

James Mills jmills at knowtown.com
Thu Jan 24 13:38:37 MST 2013 

Jim,
Thanks for that link. Very interesting.

David,
We recently had a similar situation where someone was abusing sudo and we
were trying to do the same type of thing you mention (knowing it was not
secure, but wanting to show that someone had to go way out of their way to
circumvent basic sudo functionality).

In our case we used the following Cmnd_Aliases:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,
/usr/local/bin/tcsh, /usr/bin/rsh, /usr/local/bin/zsh

Cmnd_Alias SU = /usr/bin/su, /bin/su

In our case, the user was also going in and changing the sudoers file back
to what they wanted so we also did a:

Cmnd_Alias SUDO = /usr/bin/visudo, /usr/bin/chattr

then set the immutable attribute on the sudoers file.  (Needless to say
this person no longer works with our organization after a very short term
here and we have gone back to standard sudoers practices.

One interesting side note, we found that even with all of this in place
there was a bug in one of the RHEL 5.x versions (don't remember which off
the top of my head but I can look up the support case later) where any user
could run: sudo -s and get right to a root shell without having to type any
password at all.

kind regards,

James Mills




On Sat, Jan 19, 2013 at 12:00 PM, <clue-request at cluedenver.org> wrote:

> Send clue mailing list submissions to
>         clue at cluedenver.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://cluedenver.org/mailman/listinfo/clue
> or, via email, send a message with subject or body 'help' to
>         clue-request at cluedenver.org
>
> You can reach the person managing the list at
>         clue-owner at cluedenver.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clue digest..."
>
>
> Today's Topics:
>
>    1. sudoers Cmnd_Alias (David L. Willson)
>    2. Re: sudoers Cmnd_Alias (Jim Ockers)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 18 Jan 2013 12:03:39 -0700 (MST)
> From: "David L. Willson" <DLWillson at TheGeek.NU>
> Subject: [clue] sudoers Cmnd_Alias
> To: CLUE's mailing list <clue at cluedenver.org>
> Message-ID: <0455a966-49bf-4594-bb18-656c31610561 at zimbra.thegeek.nu>
> Content-Type: text/plain; charset="utf-8"
>
> Has anyone out there got a sudoers file with a reasonably complete set of
> blocks against shells, etc. ? I realize it's not secure. I'm just trying to
> clearly communicate disapproval for interactive privileged sessions.
> ... so that if/when someone circumvents it, and if/when I detect the
> circumvention, the user isn't surprised that I confront them and/or report
> it to their manager.
>
>
>
> --
> David L. Willson
> Trainer, Engineer, Enthusiast
> RHCE Network+ A+ Linux+ LPIC-1 Ubuntu
> Mobile 720-333-LANS(5267)
>
> This is a good time for a r3VOLution.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://cluedenver.org/pipermail/clue/attachments/20130118/287eb61b/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Fri, 18 Jan 2013 20:10:30 -0700
> From: Jim Ockers <ockers at ockers.net>
> Subject: Re: [clue] sudoers Cmnd_Alias
> To: "CLUE's mailing list" <clue at cluedenver.org>
> Message-ID: <50FA0EA6.1050607 at ockers.net>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi David,
>
> This is interesting.  So you want them to be able to run lots of
> different binaries on the system, but nothing that would let them exec()
> or system() a shell? I think sudo is probably the Hard Way to try to do
> something like this. May I suggest an alternate approach.
>
> This USENIX paper from LISA11 (Local System Security via SSHD
> Instrumentation)
> http://static.usenix.org/events/lisa11/tech/full_papers/Campbell.pdf
> describes the authors' use of the Bro IDS combined with sshd
> instrumentation to detect unauthorized use of their systems. They needed
> a way to tell legitimate use apart from hackers or other non-authorized
> uses, and it turns out an IDS with pattern-matching is a good tool for
> that sort of thing.
>
> I realize this doesn't exactly answer your question but it is an
> alternate approach to flexible security which still allows people to do
> legitimate work without anything getting in their way, and the admin
> gets notified as soon as something "smells" weird to the IDS.
>
> HTH
> Jim
>
> --
> Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
> Contact info: http://www.ockers.net/
>
>
> David L. Willson wrote:
> > Has anyone out there got a sudoers file with a reasonably complete set
> > of blocks against shells, etc. ? I realize it's not secure. I'm just
> > trying to clearly communicate disapproval for interactive privileged
> > sessions.
> > ... so that if/when someone circumvents it, and if/when I detect the
> > circumvention, the user isn't surprised that I confront them and/or
> > report it to their manager.
> >
> >
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://cluedenver.org/pipermail/clue/attachments/20130118/c151138f/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> clue mailing list
> clue at cluedenver.org
> http://cluedenver.org/mailman/listinfo/clue
>
> End of clue Digest, Vol 24, Issue 11
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20130124/4f9a1c78/attachment.html

More information about the clue mailing list