> > you are only partially correct. I developed a scheme on Linux where you
> > cannot have root access, except for using sudo, but if sudo is only allowed
> > for certain groups, then only a small subset of people, who'm are explicitly
> > told they can, have access to sudo and are fully accounted for. This in
> > addition to some other ACLs, perhaps, XFS, etc, allows almost no one to get
> > sudo, without being accounted for in this way. It is tedious, but very
> > secure as well.
>
> having read the sudo code, and understanding goal-based attacks in the
> way I do, I wouldn't bet on it.....
Rule #1 about sudo: don't give sudoer's access to anything but
custom extreemly paranoid scripts you write yourself. For example
if a sudoer needs to be able to add a network route, you'd make the
following program (totally off the top of my head and untested):
#!/usr/bin/perl
sub bail { print STDERR "Shove off.\n"; exit 1 };
my($network,$gateway,$toomanyargs) = @ARGV;
bail if $toomanyargs;
# Validate network
@bytes = ($network =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)($|/\d+$)# );
for $c ( 0..3 ) { bail if $bytes[$c] > 255 or ! defined $bytes[$c] };
bail if $bytes[4] and $bytes[4]>32; # too big mask
@bytes = ($gateway =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)# );
for $c ( 0..3 ) { bail if $bytes[$c] > 255 or ! defined $bytes[$c] };
# network/gateway are valid, exec *AS A LIST* for increased paranoia
exec "/sbin/route", "add", "-net", $network, "gw", $gateway;
When you're done writing it, you test the hell out of it by sending it
all sorts of nasty input. You make sure that a valid IP address isn't
a bad one (don't let them change your default route, so add a restriction
where the network is 0.0.0.0, for example) or better yet list the ones
that are valid, bailing if they're wrong. Add a quick logging line to
the bail subroutine to print out the args if invalid to syslog, etc.
Yes, you can use sudo safely. You just must be a paranoid person
who is more knowledgable in security than those to whom you're giving
sudo access. If your users don't know they can shell out in vi then
you can give them 'vi /etc/httpd.conf' access. But better to make a
new program called 'vihttpd' like the following and give them sudo
access to it:
#/bin/sh
file=`mktemp /tmp/httpd.conf.XXXXXX`
[ -e $file ] || exit 1
cat /etc/httpd.conf > $file
chown nobody $file
su - nobody -c "vi $file"
cp $file /etc/httpd.conf
rm $file
Ok, enough, now I'm getting to the point where I'm re-writing part of
Hacking Linux Exposed again in a email list. Clearly I need more sleep.
--
Brian Hatch "Nothing changes. Corruption,
Systems and immorality, chaos."
Security Engineer
www.hackinglinuxexposed.com
Every message PGP signed
PGP signature
