<div dir="ltr">Jim,<div>Thanks for that link. Very interesting.</div><div><br></div><div style>David,</div><div style>We recently had a similar situation where someone was abusing sudo and we were trying to do the same type of thing you mention (knowing it was not secure, but wanting to show that someone had to go way out of their way to circumvent basic sudo functionality).</div>
<div style><br></div><div style>In our case we used the following Cmnd_Aliases:<br>Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, /usr/local/bin/tcsh, /usr/bin/rsh, /usr/local/bin/zsh</div><div style><br></div>
<div style>Cmnd_Alias SU = /usr/bin/su, /bin/su</div><div style><br></div><div style>In our case, the user was also going in and changing the sudoers file back to what they wanted so we also did a:</div><div style><br></div>
<div style>Cmnd_Alias SUDO = /usr/bin/visudo, /usr/bin/chattr</div><div style><br></div><div style>then set the immutable attribute on the sudoers file. (Needless to say this person no longer works with our organization after a very short term here and we have gone back to standard sudoers practices.</div>
<div style><br></div><div style>One interesting side note, we found that even with all of this in place there was a bug in one of the RHEL 5.x versions (don't remember which off the top of my head but I can look up the support case later) where any user could run: sudo -s and get right to a root shell without having to type any password at all. </div>
<div style><br></div><div class="gmail_extra">kind regards,</div><div class="gmail_extra"><br clear="all"><div>James Mills<br><br><br></div>
<br><br><div class="gmail_quote">On Sat, Jan 19, 2013 at 12:00 PM, <span dir="ltr"><<a href="mailto:clue-request@cluedenver.org" target="_blank">clue-request@cluedenver.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Send clue mailing list submissions to<br>
<a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://cluedenver.org/mailman/listinfo/clue" target="_blank">http://cluedenver.org/mailman/listinfo/clue</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:clue-request@cluedenver.org">clue-request@cluedenver.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:clue-owner@cluedenver.org">clue-owner@cluedenver.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of clue digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. sudoers Cmnd_Alias (David L. Willson)<br>
2. Re: sudoers Cmnd_Alias (Jim Ockers)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 18 Jan 2013 12:03:39 -0700 (MST)<br>
From: "David L. Willson" <DLWillson@TheGeek.NU><br>
Subject: [clue] sudoers Cmnd_Alias<br>
To: CLUE's mailing list <<a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a>><br>
Message-ID: <<a href="mailto:0455a966-49bf-4594-bb18-656c31610561@zimbra.thegeek.nu">0455a966-49bf-4594-bb18-656c31610561@zimbra.thegeek.nu</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Has anyone out there got a sudoers file with a reasonably complete set of blocks against shells, etc. ? I realize it's not secure. I'm just trying to clearly communicate disapproval for interactive privileged sessions.<br>
... so that if/when someone circumvents it, and if/when I detect the circumvention, the user isn't surprised that I confront them and/or report it to their manager.<br>
<br>
<br>
<br>
--<br>
David L. Willson<br>
Trainer, Engineer, Enthusiast<br>
RHCE Network+ A+ Linux+ LPIC-1 Ubuntu<br>
Mobile 720-333-LANS(5267)<br>
<br>
This is a good time for a r3VOLution.<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://cluedenver.org/pipermail/clue/attachments/20130118/287eb61b/attachment-0001.html" target="_blank">http://cluedenver.org/pipermail/clue/attachments/20130118/287eb61b/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 18 Jan 2013 20:10:30 -0700<br>
From: Jim Ockers <<a href="mailto:ockers@ockers.net">ockers@ockers.net</a>><br>
Subject: Re: [clue] sudoers Cmnd_Alias<br>
To: "CLUE's mailing list" <<a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a>><br>
Message-ID: <<a href="mailto:50FA0EA6.1050607@ockers.net">50FA0EA6.1050607@ockers.net</a>><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Hi David,<br>
<br>
This is interesting. So you want them to be able to run lots of<br>
different binaries on the system, but nothing that would let them exec()<br>
or system() a shell? I think sudo is probably the Hard Way to try to do<br>
something like this. May I suggest an alternate approach.<br>
<br>
This USENIX paper from LISA11 (Local System Security via SSHD<br>
Instrumentation)<br>
<a href="http://static.usenix.org/events/lisa11/tech/full_papers/Campbell.pdf" target="_blank">http://static.usenix.org/events/lisa11/tech/full_papers/Campbell.pdf</a><br>
describes the authors' use of the Bro IDS combined with sshd<br>
instrumentation to detect unauthorized use of their systems. They needed<br>
a way to tell legitimate use apart from hackers or other non-authorized<br>
uses, and it turns out an IDS with pattern-matching is a good tool for<br>
that sort of thing.<br>
<br>
I realize this doesn't exactly answer your question but it is an<br>
alternate approach to flexible security which still allows people to do<br>
legitimate work without anything getting in their way, and the admin<br>
gets notified as soon as something "smells" weird to the IDS.<br>
<br>
HTH<br>
Jim<br>
<br>
--<br>
Jim Ockers, P.E., P.Eng. (<a href="mailto:ockers@ockers.net">ockers@ockers.net</a>)<br>
Contact info: <a href="http://www.ockers.net/" target="_blank">http://www.ockers.net/</a><br>
<br>
<br>
David L. Willson wrote:<br>
> Has anyone out there got a sudoers file with a reasonably complete set<br>
> of blocks against shells, etc. ? I realize it's not secure. I'm just<br>
> trying to clearly communicate disapproval for interactive privileged<br>
> sessions.<br>
> ... so that if/when someone circumvents it, and if/when I detect the<br>
> circumvention, the user isn't surprised that I confront them and/or<br>
> report it to their manager.<br>
><br>
><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://cluedenver.org/pipermail/clue/attachments/20130118/c151138f/attachment-0001.html" target="_blank">http://cluedenver.org/pipermail/clue/attachments/20130118/c151138f/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
clue mailing list<br>
<a href="mailto:clue@cluedenver.org">clue@cluedenver.org</a><br>
<a href="http://cluedenver.org/mailman/listinfo/clue" target="_blank">http://cluedenver.org/mailman/listinfo/clue</a><br>
<br>
End of clue Digest, Vol 24, Issue 11<br>
************************************<br>
</blockquote></div><br></div></div>