sudoers might be used as security hole

If it doesn't relate to Debian, but you still want to share it, please do it here

sudoers might be used as security hole

Postby bester69 » 2017-03-07 01:06

Warning!!, you shouldn't use sudoers with a script file,
this is kind of a potencial exploit, By doing that you're compromising the whole the system , its' like giving root access to any user that find out that sudoerd file.

This is right now my sudoers file:
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/tee
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/killall
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/renice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/ionice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/chattr
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/service
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/pm-suspend
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/alsactl
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/VBoxManage
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/virtualbox
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script1.sh
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script2
....
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script-N.sh



I've like around 15 scripts in sudoers that might be used as an exploit. Any person that figure it out, just need to edit thoses scripts to get the root password. :?

Threre should be more potencial warnings about using scripts in sudoers file :x
User avatar
bester69
 
Posts: 883
Joined: 2015-04-02 13:15

Re: sudoers might be used as security hole

Postby Segfault » 2017-03-07 02:51

You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.
Segfault
 
Posts: 468
Joined: 2005-09-24 12:24

Re: sudoers might be used as security hole

Postby bester69 » 2017-03-07 14:51

Segfault wrote:You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.


So then, how do i run a script or command that needs admin permissions If it's not by making use of sudoers??. If im doing this way, i can imagine many people committing the same temerity, sorry can you put some light on this ?, thanks
User avatar
bester69
 
Posts: 883
Joined: 2015-04-02 13:15

Re: sudoers might be used as security hole

Postby acewiza » 2017-03-07 17:18

bester69 wrote:I've like around 15 scripts in sudoers that might be used as an exploit.

That seems like a bad idea.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 241
Joined: 2013-05-28 12:38
Location: Out West

Re: sudoers might be used as security hole

Postby cpoakes » 2017-03-07 20:32

Nope. Any binary is as vulnerable as a any script when the file permissions allow anyone other than the owner to modify it.
User avatar
cpoakes
 
Posts: 94
Joined: 2015-03-29 04:54

Re: sudoers might be used as security hole

Postby Head_on_a_Stick » 2017-03-07 21:36

"Yes Linus [Torvalds], our patches are such garbage the KSPP can't manage to do anything other than copy+paste from them, and you're slowly merging them (along with our registered copyrights). How do our table scraps taste?" — Brad Spengler, grsecurity
User avatar
Head_on_a_Stick
 
Posts: 6540
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: sudoers might be used as security hole

Postby alan stone » 2017-03-08 04:17

Debian 8.9 32bit, WM: Openbox
Human beings are works in progress that mistakenly think they are finished. - Dan Gilbert
In every undertaking, the more humans try to be demi-gods, the more they become half-monsters. – Nassim Nicholas Taleb
User avatar
alan stone
 
Posts: 170
Joined: 2011-10-22 14:08
Location: In my body.

Re: sudoers might be used as security hole

Postby debiman » 2017-03-10 06:51

bester69 wrote:So then, how

enter the password.
security is always a trade-off with convenience.
seems you have chosen convenience (NOPASSWD), so stop complaining that your system lacks security.

PS:
this actually really made me Laugh Out Loud... :lol:
User avatar
debiman
 
Posts: 1202
Joined: 2013-03-12 07:18


Return to Offtopic

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable