These kinds of issues with sudo have been around for years. Even if you deleted vi from the system, you can still do anything you want if you have root privs to the right binaries: tar: (to perform backups, etc) Untar a new password file overwriting the old, or untar a setuid root shell leaving the bit set. passwd: (to change people's passwords): Obviously, they can change root's password or someone else who has higher privs find: (to perform searches): the exec clause will allow the user to perform whatever operations they desire as root! vi: Not only can they escape to a shell, they can write to any file they want to, execute shell commands and read them into the buffer (:r !), and *unintentionally* really screw up the system if they press the wrong key. crontab: Can run malicious scripts or binaries as root designed to give them root privileges. Any binary: May have a buffer overflow vulnerability. This is the reason most people feel the software isn't something that needs to be 'fixed', but rather understood better. There really ought to be a good philosophy for 'sudo' with any systems group. Playing around with root privileges is very dangerous if you don't have a full grasp on the dangers of giving someone sudo privs. Even if you do, the next buffer-overflow vulnerability may be for that totally safe binary you just gave someone access to. What it boils down to is, if you don't trust someone with full access to the machine, don't give them sudo privileges. In your crontab situation, even if you couldn't drop to a shell in vi, you could easily set up a root cron to perform an echo 'password' | passwd root and then just su yourself, or do a million other things. sudo is a great *tracking* tool but a bad security control tool IMHO. I do think, however, that any unix implementation coming with default sudo priviledges is inherently "buggy" on the same level as installing linux without the shadow password suite. Anyhow, now that I'm finished with my lecture if you really want to give someone the ability to run crontab under sudo, you see it really doesn't matter if they can escape to a shell in vi because they can easily change the root password, add themselves to the bottom of the sudoers file, or do a million other things with cron so you ought to be able to trust them with full root privs anyway. If, however, you are looking for a good way to allow someone to edit files using sudo, and have already rejected the idea of using groups or acls, consider 'elvis'. Elvis is a 'vi' emulator designed to look and feel just like vi, only it has a 'paranoid' mode you can run it in for secure edits, which will disable shells, executing commands, and a million other things in vi that could give someone root.
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 09:28:34 PDT