Differences between version 10 and predecessor to the previous major change of SudoHowto.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 10 | Last edited on Friday, July 7, 2006 11:50:46 am | by AristotlePagaltzis | Revert |
| Older page: | version 8 | Last edited on Sunday, August 28, 2005 10:48:54 am | by DanielLawson | Revert |
@@ -11,9 +11,9 @@
Note that <tt>visudo</tt> may insist on making you use vi(1) to edit the file, though some configurations may respect your choice of TextEditor according to the <tt>EDITOR</tt>/<tt>VISUAL</tt> EnvironmentVariable~s. If this bugs you, edit <tt>/etc/sudoers</tt> with another editor, then use <tt>visudo -c</tt> to check it for correctness. (You can add an incantation to <tt>/etc/sudoers</tt> to tell <tt>visudo</tt> what <tt>EDITOR</tt>/<tt>VISUAL</tt> settings to respect, but that's pointless to discuss here since most people are only ever going to edit the file once.)
!! Sudo and passwords
-Sudo operates in two modes with respect to passwords -
it needs them or it doesn't. The '
NOPASSWD'
configuration token states that no password is needed for this block -
if that token is not present, the user will have to type in their password.
+Sudo operates in two modes with respect to passwords –
it needs them or it doesn't. The <tt>
NOPASSWD</tt>
configuration token states that no password is needed for this block –
if that token is not present, the user will have to type in their password.
Note that sudo does not escalate any priviledges for the original user. All priviledged commands must still be executed through the sudo command.
! Which password?
@@ -27,13 +27,14 @@
!! Notes on examples
The following sections all assume a couple of things:
-* You are using visudo (or a similar program) to edit /etc/sudoers. See the notes above for more information on this
-* There are two users, jack and jill, on the machine
-* jack is a member of the unix group <tt>wheel</tt>, jill is not
-* jack and jill are both members of the unix group <tt>users</tt>
-* I use the '
whoami'
command, because it reports the userid
, and is therefore effective in showing the change in privilege.
+
+
* You are using visudo (or a similar program) to edit <tt>
/etc/sudoers</tt>
. See the notes above for more information on this
+* There are two users, <tt>
jack</tt>
and <tt>
jill</tt>
, on the machine
+* <tt>
jack</tt>
is a member of the unix group <tt>wheel</tt>, jill is not
+* <tt>
jack</tt>
and <tt>
jill</tt>
are both members of the unix group <tt>users</tt>
+* I use the whoami(1)
command, because it reports the user ID
, and is therefore effective in showing the change in privilege.
!! Basic format
The basic format of the user specification in the sudoers file looks like:
@@ -41,19 +42,20 @@
<verbatim>
user hostlist = (userlist) commandlist
</verbatim>
-* The '
hostlist'
is a list of hosts this rule applies to
-* The '
userlist'
is a list of users that this rule can be run as. and must be enclosed in ( )
-* The '
commandlist'
is a list of commands that this rule states can be executed
+* <i>user</i> is the name of the user or group to which this rule applies
+* <i>
hostlist</i>
is a list of hosts this rule applies to
+* <i>
userlist</i>
is a list of users that this rule can be run as. and must be enclosed in ( )
+* <i>
commandlist</i>
is a list of commands that this rule states can be executed
-The userlist token is optional -
if excluded, it defaults to <tt>root</tt>.
+The userlist token is optional –
if excluded, it defaults to <tt>root</tt>.
All three of hostlist, userlist and commandlist can be replaced with the token <tt>ALL</tt>, allowing unrestricted access in each situation.
!! Setting sudo to allow a user to run commands as root
-This is the most common usage of sudo -
it lets a specific user run all commands as the root user, without having to know the root password. Many modern linux distributions (such as Ubuntu) configure this by default for the first user of the system.
+This is the most common usage of sudo –
it lets a specific user run all commands as the root user, without having to know the root password. Many modern linux distributions (such as Ubuntu) configure this by default for the first user of the system.
<verbatim>
jill ALL = ALL
</verbatim>
@@ -72,9 +74,9 @@
!! Setting sudo to not require a password
-In many situations people wish to not have to enter a password. This is useful if you are the only user on the machine, or if you really trust your admin users and know that they keep good security with respect to their passwords, accounts, ssh
keys, and so on.
+In many situations people wish to not have to enter a password. This is useful if you are the only user on the machine, or if you really trust your admin users and know that they keep good security with respect to their passwords, accounts, [SSH]
keys, and so on.
<verbatim>
%wheel ALL = NOPASSWD: ALL
</verbatim>
@@ -100,9 +102,9 @@
It's important to provide a complete path, as if you merely include the executable name, a user could gain root access through malicious code execution.
!! Running commands as a different user.
-Sudo lets you run commands as the root user by default -
but you can also configure it to allow you to run commands as any user. To do this we add another token to the configurations mentioned above
+Sudo lets you run commands as the root user by default –
but you can also configure it to allow you to run commands as any user. To do this we add another token to the configurations mentioned above
eg:
<verbatim>
%users ALL = ALL
@@ -154,9 +156,9 @@
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
</verbatim>
-These can be used in place of the '
commandlist'
token
+These can be used in place of the commandlist token
!! Restricting commands
You might wish to allow users the ability to run most commands, but to restrict a few. Eg, let's say you don't want your users to be able to run the 'su' command, or to execute a shell, as the root user.
@@ -169,11 +171,11 @@
!!! Usage of sudo
-If sudo has been configured to not required a password for the particular command you are trying to execute, it will '
just work'
.
+If sudo has been configured to not required a password for the particular command you are trying to execute, it will “
just work.”
-If the NOPASSWD token has not been set, you will be prompted to enter your password the first time you try to execute sudo
+If the <tt>
NOPASSWD</tt>
token has not been set, you will be prompted to enter your password the first time you try to execute sudo
<verbatim>
$ sudo whoami
Password:
@@ -241,29 +243,33 @@
''An attacker discovers the password of an administrative user account (jack) on a machine. He can use this to log into the machine directly. After logging in, he discovers that the kernel is vulnerable to a local root escalation exploit, and so he downloads and compiles an appropriate rootkit, executes it, and can now completely take over the machine.''
Slightly more work, but you have to consider that people who break into machines *already have* these tools available. How about another couple of situations:
-''An attacker discovers the password of an administrative user account (jack) on a machine. He can use this to log into the machine directly. He checks through jack's .bash_history file and notices a random-looking sequence of characters the line before 'su' is executed. He runs 'su', and uses this sequence of characters, and his hunch pays off -
he now has a root shell on the machine.''
+''An attacker discovers the password of an administrative user account (jack) on a machine. He can use this to log into the machine directly. He checks through jack's .bash_history file and notices a random-looking sequence of characters the line before 'su' is executed. He runs 'su', and uses this sequence of characters, and his hunch pays off –
he now has a root shell on the machine.''
-''An attacker discovers the password of an administrative user account (jack) on a machine. He can use this to log into the machine directly. He checks the kernel, it is not vulnerable to any known local root escalation exploits. He instead downloads a trojaned version of the 'su' command to the machine. This program will intercept the user's attempt to authenticate with the root password, storing the password, before passing it all on to the real version. The hacker then modifies jack's PATH to include this binary before everything else, so that when jack runs the 'su' command, it will run the trojaned version. The hacker receives an email from his program a day later -
jack has used the trojan su command, and given away his root password. The hacker can now completely take over the machine.''
+''An attacker discovers the password of an administrative user account (jack) on a machine. He can use this to log into the machine directly. He checks the kernel, it is not vulnerable to any known local root escalation exploits. He instead downloads a trojaned version of the 'su' command to the machine. This program will intercept the user's attempt to authenticate with the root password, storing the password, before passing it all on to the real version. The hacker then modifies jack's PATH to include this binary before everything else, so that when jack runs the 'su' command, it will run the trojaned version. The hacker receives an email from his program a day later –
jack has used the trojan su command, and given away his root password. The hacker can now completely take over the machine.''
-Whether any of the above scenarios are feasable or not is another matter -
the point is that once an attacker has a local shell on your machine, all bets are off. It is almost certain they will have installed a trojan somewhere, or will have already gained root already through other mechanisms. Sudo doesn't really make this much worse.
+Whether any of the above scenarios are feasable or not is another matter –
the point is that once an attacker has a local shell on your machine, all bets are off. It is almost certain they will have installed a trojan somewhere, or will have already gained root already through other mechanisms. Sudo doesn't really make this much worse.
That said, there are some practical things you can do to increase sudo security
!! Decrease the cache timeout:
-You can set sudo to expire its password cache sooner than the default 15 minutes, by setting the <tt>timestamp_timeout</tt> option to something else in /etc/sudoers
+You can set sudo to expire its password cache sooner than the default 15 minutes, by setting the <tt>timestamp_timeout</tt> option to something else in <tt>
/etc/sudoers</tt>.
!! Force expire your password token:
If you know you have finished using sudo for now, use <tt>sudo -k</tt> to expire your tokens right now. This could be included in a .bash_logout script to force expiring tokens when you logout of a machine, or your screensaver could be configured to execute it for you.
-!! Prevent TTY attacks
+!! Prevent <tt>
TTY</tt>
attacks
-sudo doesn't care about which TTY you are logged in on by default. EG
, if I login on one console, run sudo and enter my password, then login on another console, and run sudo again, my password is already cached. This could be bad if you left yourself logged in elsewhere by accident -
say on another machine.
+sudo doesn't care about which <tt>
TTY</tt>
you are logged in on by default. Eg.
, if I login on one console, run sudo and enter my password, then login on another console, and run sudo again, my password is already cached. This could be bad if you left yourself logged in elsewhere by accident –
say on another machine.
-sudo can be compiled with the USE_TTY_TICKETS option, which will limit a ticket to a particular TTY. Not many distributions seem to do this however.
+sudo can be compiled with the <tt>
USE_TTY_TICKETS</tt>
option, which will limit a ticket to a particular <tt>
TTY</tt>
. Not many distributions seem to do this however.
! References
-* http://www.securiteam.com/unixfocus/3Y5QCR5N5O.html
+* [SuDo security threat prevention |
http://www.securiteam.com/unixfocus/3Y5QCR5N5O.html]
+* [Sudos (and Sudon'ts) | http://www.oreillynet.com/pub/wlg/9326] – some lessons from practice for larger installations
+
+----
+CategoryHowto
