sudoers might be used as security hole

If it doesn't relate to Debian, but you still want to share it, please do it here

sudoers might be used as security hole

Postby bester69 » 2017-03-07 01:06

Warning!!, you shouldn't use sudoers with a script file,
this is kind of a potencial exploit, By doing that you're compromising the whole the system , its' like giving root access to any user that find out that sudoerd file.

This is right now my sudoers file:
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/tee
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/killall
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/renice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/ionice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/chattr
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/service
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/pm-suspend
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/alsactl
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/VBoxManage
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/virtualbox
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script1.sh
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script2
....
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script-N.sh



I've like around 15 scripts in sudoers that might be used as an exploit. Any person that figure it out, just need to edit thoses scripts to get the root password. :?

Threre should be more potencial warnings about using scripts in sudoers file :x
User avatar
bester69
 
Posts: 863
Joined: 2015-04-02 13:15

Re: sudoers might be used as security hole

Postby Segfault » 2017-03-07 02:51

You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.
Segfault
 
Posts: 419
Joined: 2005-09-24 12:24

Re: sudoers might be used as security hole

Postby bester69 » 2017-03-07 14:51

Segfault wrote:You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.


So then, how do i run a script or command that needs admin permissions If it's not by making use of sudoers??. If im doing this way, i can imagine many people committing the same temerity, sorry can you put some light on this ?, thanks
User avatar
bester69
 
Posts: 863
Joined: 2015-04-02 13:15

Re: sudoers might be used as security hole

Postby acewiza » 2017-03-07 17:18

bester69 wrote:I've like around 15 scripts in sudoers that might be used as an exploit.

That seems like a bad idea.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 224
Joined: 2013-05-28 12:38
Location: Out West

Re: sudoers might be used as security hole

Postby cpoakes » 2017-03-07 20:32

Nope. Any binary is as vulnerable as a any script when the file permissions allow anyone other than the owner to modify it.
User avatar
cpoakes
 
Posts: 94
Joined: 2015-03-29 04:54

Re: sudoers might be used as security hole

Postby Head_on_a_Stick » 2017-03-07 21:36

“Controlling complexity is the essence of computer programming."Brian Kernighan

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6491
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: sudoers might be used as security hole

Postby alan stone » 2017-03-08 04:17

Debian GNU/Linux 8.9 (jessie)- 32 bit
wm: openbox

If you initiate coercion, force, violence to enforce your idea or theory, or if every single time it is applied to the real world it fails completely, your idea or theory sucks and is worthless.
User avatar
alan stone
 
Posts: 157
Joined: 2011-10-22 14:08
Location: In my body.

Re: sudoers might be used as security hole

Postby debiman » 2017-03-10 06:51

bester69 wrote:So then, how

enter the password.
security is always a trade-off with convenience.
seems you have chosen convenience (NOPASSWD), so stop complaining that your system lacks security.

PS:
this actually really made me Laugh Out Loud... :lol:
User avatar
debiman
 
Posts: 1086
Joined: 2013-03-12 07:18


Return to Offtopic

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable