Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems with sudo

Matt Shields wrote:
> Is there anyone on the list that has some suggestions on securing sudo?

As Dan pointed out, sudo is essentially a gentleman's agreement. You 
don't grant sudo access to anyone you wouldn't trust to be root. It 
exists for the convenience of logging who did what, and making it a bit 
easier to extend root privileges without having to share a password.

> For years we've used sudo to give our developers and qa access to
> production servers run cat, less, more and tail to view logs, but
> nothing else.

For such a specific use case, if you really want to tighten the 
security, don't use sudo. Instead, try one of these:

Create a group, and put the logs and the developers into the group. 
Perhaps using links and other tricks, as were recently discussed on this 
list, or maybe ACLs.

Create a patched (or wrapped) version of less that runs setUID and only 
permits access to the log files. (Though I'd avoid something as complex 
as less. I'd find a bare-bones pager that is implemented in a few 
screens worth of easily audited C code.)

Rename (or hard link to) your favorite pager, set it setUID, and then 
clamp down its access with AppArmor or SELinux.

> LESSSECURE=1 ... will keep them from using ! in less. 
> Anything other suggestions for cat, more and tail?

'more' probably has something equivalent, but I'm not aware of cat or 
tail having any mechanism to directly invoke a subshell. Of course any 
program that can be used to read files and devices that only root has 
access to could potentially get leveraged to provide greater access.


Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile:

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /