Sudo even more secure

Florian Diesch diesch at spamfence.net
Fri Mar 24 04:10:16 GMT 2006 

On Wed, Mar 22, 2006 at 01:38:54AM -0500, John Richard Moser wrote:
> I have looked into making a sudo group 'jradmin' that can not run
> apt/synaptic/dpkg or alter users.  Relavent lines are below:
> 
> - ----SNIP----
> Cmnd_Alias      SU = /bin/su
> Cmnd_Alias      SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
>                         /usr/local/bin/tcsh, /usr/bin/rsh, \
>                         /usr/local/bin/zsh
> 
> Cmnd_Alias      GNOME_ADMIN = /usr/bin/network-admin, \
>                         /usr/bin/disks-admin, \
>                         /usr/bin/services-admin, \
>                         /usr/bin/gnome-software-properties, \
>                         /usr/bin/time-admin, /usr/bin/shares-admin
> 
> Cmnd_Alias      GNOME_USERS_ADMIN = /usr/bin/users-admin
> 
> Cmnd_Alias      GPARTED = /usr/bin/gparted
> 
> Cmnd_Alias      APT = /usr/bin/apt-get, /usr/bin/synaptic, \
>                         /usr/bin/dpkg
> 
> Cmnd_Alias      UPDATE = /usr/bin/update-manager
> 
> Cmnd_Alias      VISUDO = /usr/bin/visudo
> 
> # Members of the jradmin group have limited capabilities.
> # They are prevented from doing stealth damage to escallate their
> # privileges; they CAN massively destroy the system.
> %jradmin        ALL=(ALL) PASSWD: GNOME_ADMIN, UPDATE
> - ----SNIP----
> 
> It is also possible to include 'apt-get update' and 'apt-get upgrade' in
> UPDATE.  Do NOT include anything that allows full user administration or
> sudoers hacking, as this would lead to evasion.

With /usr/bin/disks-admin I'll get a file browser with root privileges 
using the "Browse"-Button on a partition.

With /usr/bin/gnome-software-properties I'll add a repository with a 
updated packages that gives me a SUID root shell.

With /usr/bin/shares-admin I'll export / to a host at which I have root
access.

And in any case I may start a WWW browser with root privileges using the
help system. Then e.g. the printing command gives me a root shell.




-- 
Gib einem Hungrigen einen Fisch, und er ist für einen Tag satt. Zeig ihm, wie
man angelt, und er pöbelt Dich an, daß er besseres zu tun hätte, als Schnüre
ins Wasser hängen zu lassen. [David Kastrup in <x566arnpqc.fsf at tupik.goethe.zz>]

More information about the ubuntu-devel mailing list