Exactly what I'm talking about. Everything is very precisely setup. Aliases
are setup for common commands. Extended attributes, say, ls -l, would be a
command which is scripted through sudo, and requires authentication. It sure
makes the system difficult to use, but not if you have a good level of
access. It's a pain to setup too, but once it's done, it's all maintenance,
which is quite simple.
--
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED]
> -----Original Message-----
> From: Brian Hatch [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 26, 2001 4:14 PM
> To: [EMAIL PROTECTED]
> Cc: Gonyou, Austin
> Subject: Re: Why restrict root logins?
>
>
>
>
> > > you are only partially correct. I developed a scheme on
> Linux where you
> > > cannot have root access, except for using sudo, but if
> sudo is only allowed
> > > for certain groups, then only a small subset of people,
> who'm are explicitly
> > > told they can, have access to sudo and are fully
> accounted for. This in
> > > addition to some other ACLs, perhaps, XFS, etc, allows
> almost no one to get
> > > sudo, without being accounted for in this way. It is
> tedious, but very
> > > secure as well.
> >
> > having read the sudo code, and understanding goal-based
> attacks in the
> > way I do, I wouldn't bet on it.....
>
> Rule #1 about sudo: don't give sudoer's access to anything but
> custom extreemly paranoid scripts you write yourself. For example
> if a sudoer needs to be able to add a network route, you'd make the
> following program (totally off the top of my head and untested):
>
> #!/usr/bin/perl
>
> sub bail { print STDERR "Shove off.\n"; exit 1 };
>
> my($network,$gateway,$toomanyargs) = @ARGV;
> bail if $toomanyargs;
>
> # Validate network
> @bytes = ($network =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)($|/\d+$)# );
> for $c ( 0..3 ) { bail if $bytes[$c] > 255 or ! defined
> $bytes[$c] };
> bail if $bytes[4] and $bytes[4]>32; # too big mask
>
> @bytes = ($gateway =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)# );
> for $c ( 0..3 ) { bail if $bytes[$c] > 255 or ! defined
> $bytes[$c] };
>
> # network/gateway are valid, exec *AS A LIST* for increased paranoia
> exec "/sbin/route", "add", "-net", $network, "gw", $gateway;
>
>
> When you're done writing it, you test the hell out of it by sending it
> all sorts of nasty input. You make sure that a valid IP address isn't
> a bad one (don't let them change your default route, so add a
> restriction
> where the network is 0.0.0.0, for example) or better yet list the ones
> that are valid, bailing if they're wrong. Add a quick logging line to
> the bail subroutine to print out the args if invalid to syslog, etc.
>
>
> Yes, you can use sudo safely. You just must be a paranoid person
> who is more knowledgable in security than those to whom you're giving
> sudo access. If your users don't know they can shell out in vi then
> you can give them 'vi /etc/httpd.conf' access. But better to make a
> new program called 'vihttpd' like the following and give them sudo
> access to it:
>
> #/bin/sh
> file=`mktemp /tmp/httpd.conf.XXXXXX`
> [ -e $file ] || exit 1
> cat /etc/httpd.conf > $file
> chown nobody $file
> su - nobody -c "vi $file"
> cp $file /etc/httpd.conf
> rm $file
>
> Ok, enough, now I'm getting to the point where I'm re-writing part of
> Hacking Linux Exposed again in a email list. Clearly I need
> more sleep.
>
>
>
>
> --
> Brian Hatch "Nothing changes. Corruption,
> Systems and immorality, chaos."
> Security Engineer
> www.hackinglinuxexposed.com
>
> Every message PGP signed
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
