Monday, May 10, 2010

Sudo Read Only All

I had a friend with an interesting problem: They had replicate a set of configuration files on one Linux machine to another, but she didn't have root on the old box. Thus, she couldn't read files like the /etc/securettty file, which was permission 600.

Here's where life gets strange... The customer didn't mind her looking at the box, they just didn't want her changing anything. The best way to make sure she doesn't change anything is to not give her sudo.

Rock --> You <-- Hard place.

Solution: /usr/bin/less is a read only command so lets just sudo it! Unacceptable, as there is a thirty year old hack that lets you bang out of less to a command line, sayeth information security. Easy enough to fix...
echo "username ALL=NOEXEC: NOPASSWD: /usr/bin/less" >> /etc/sudoers
The NOEXEC: prevents the "bang hack" and allows full system visibility.

No comments:

Post a Comment