sudoers might be used as security hole

If it doesn't relate to Debian, but you still want to share it, please do it here

sudoers might be used as security hole

Postby bester69 » 2017-03-07 01:06

Warning!!, you shouldn't use sudoers with a script file,
this is kind of a potencial exploit, By doing that you're compromising the whole the system , its' like giving root access to any user that find out that sudoerd file.

This is right now my sudoers file:
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/tee
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/killall
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/renice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/ionice
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/chattr
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/service
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/pm-suspend
fulano ALL=(ALL:ALL) NOPASSWD: /usr/sbin/alsactl
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/VBoxManage
fulano ALL=(ALL:ALL) NOPASSWD: /usr/bin/virtualbox
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script1.sh
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script2
....
fulano ALL=(ALL:ALL) NOPASSWD: /home/fulano/scripts/script-N.sh



I've like around 15 scripts in sudoers that might be used as an exploit. Any person that figure it out, just need to edit thoses scripts to get the root password. :?

Threre should be more potencial warnings about using scripts in sudoers file :x
User avatar
bester69
 
Posts: 948
Joined: 2015-04-02 13:15

Re: sudoers might be used as security hole

Postby Segfault » 2017-03-07 02:51

You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.
Segfault
 
Posts: 498
Joined: 2005-09-24 12:24

Re: sudoers might be used as security hole

Postby bester69 » 2017-03-07 14:51

Segfault wrote:You have weirdest understanding of security and user accounts. You could run your system as root, would not make any difference.


So then, how do i run a script or command that needs admin permissions If it's not by making use of sudoers??. If im doing this way, i can imagine many people committing the same temerity, sorry can you put some light on this ?, thanks
User avatar
bester69
 
Posts: 948
Joined: 2015-04-02 13:15

Re: sudoers might be used as security hole

Postby acewiza » 2017-03-07 17:18

bester69 wrote:I've like around 15 scripts in sudoers that might be used as an exploit.

That seems like a bad idea.
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.
User avatar
acewiza
 
Posts: 267
Joined: 2013-05-28 12:38
Location: Out West

Re: sudoers might be used as security hole

Postby cpoakes » 2017-03-07 20:32

Nope. Any binary is as vulnerable as a any script when the file permissions allow anyone other than the owner to modify it.
User avatar
cpoakes
 
Posts: 95
Joined: 2015-03-29 04:54

Re: sudoers might be used as security hole

Postby Head_on_a_Stick » 2017-03-07 21:36

"Only the mediocre are always at their best." — Jean Giraudoux
User avatar
Head_on_a_Stick
 
Posts: 6666
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: sudoers might be used as security hole

Postby alan stone » 2017-03-08 04:17

Debian 8.9 32bit, WM: Openbox
Computers are like air conditioners. They work fine until you start opening windows. - Author Unknown
Programming is like sex. One mistake and you have to support it for the rest of your life. - Michael Sinz
User avatar
alan stone
 
Posts: 205
Joined: 2011-10-22 14:08
Location: In my body.

Re: sudoers might be used as security hole

Postby debiman » 2017-03-10 06:51

bester69 wrote:So then, how

enter the password.
security is always a trade-off with convenience.
seems you have chosen convenience (NOPASSWD), so stop complaining that your system lacks security.

PS:
this actually really made me Laugh Out Loud... :lol:
User avatar
debiman
 
Posts: 1511
Joined: 2013-03-12 07:18


Return to Offtopic

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable