Debian User Forums


https://forums.debian.net/

sudoers might be used as security hole

https://forums.debian.net/viewtopic.php?t=132011

Page 1 of 1

sudoers might be used as security hole

Posted: 2017-03-07 01:06
by bester69
Warning!!, you shouldn't use sudoers with a script file,
this is kind of a potencial exploit, By doing that you're compromising the whole the system , its' like giving root access to any user that find out that sudoerd file.

This is right now my sudoers file:
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/tee
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/killall
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/renice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/ionice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/chattr
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/service
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/pm-suspend
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/alsactl
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/VBoxManage
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/virtualbox
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script1.sh
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script2
....
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script-N.sh
I've like around 15 scripts in sudoers that might be used as an exploit. Any person that figure it out, just need to edit thoses scripts to get the root password. :?

Threre should be more potencial warnings about using scripts in sudoers file :x

Re: sudoers might be used as security hole

Posted: 2017-03-07 02:51
by Segfault
You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.

Re: sudoers might be used as security hole

Posted: 2017-03-07 14:51
by bester69
Segfault wrote:You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.
So then, how do i run a script or command that needs admin permissions If it's not by making use of sudoers??. If im doing this way, i can imagine many people committing the same temerity, sorry can you put some light on this ?, thanks

Re: sudoers might be used as security hole

Posted: 2017-03-07 17:18
by acewiza
bester69 wrote:I've like around 15 scripts in sudoers that might be used as an exploit.
That seems like a bad idea.

Re: sudoers might be used as security hole

Posted: 2017-03-07 20:32
by cpoakes
Nope. Any binary is as vulnerable as a any script when the file permissions allow anyone other than the owner to modify it.

Re: sudoers might be used as security hole

Posted: 2017-03-07 21:36
by Head_on_a_Stick
https://xkcd.com/1200/

Re: sudoers might be used as security hole

Posted: 2017-03-08 04:17
by alan stone
monitor /var/log/auth.log or close the hole

Re: sudoers might be used as security hole

Posted: 2017-03-10 06:51
by debiman
bester69 wrote:So then, how
enter the password.
security is always a trade-off with convenience.
seems you have chosen convenience (NOPASSWD), so stop complaining that your system lacks security.

PS:
this actually really made me Laugh Out Loud... :lol:
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited