Problems with sudo

[tmetro-blu-5a1Jt6qxUNc at public.gmane.org (Tom Metro)]

Matt Shields wrote:
> Is there anyone on the list that has some suggestions on securing sudo?

As Dan pointed out, sudo is essentially a gentleman's agreement. You 
don't grant sudo access to anyone you wouldn't trust to be root. It 
exists for the convenience of logging who did what, and making it a bit 
easier to extend root privileges without having to share a password.


> For years we've used sudo to give our developers and qa access to
> production servers run cat, less, more and tail to view logs, but
> nothing else.

For such a specific use case, if you really want to tighten the 
security, don't use sudo. Instead, try one of these:

Create a group, and put the logs and the developers into the group. 
Perhaps using links and other tricks, as were recently discussed on this 
list, or maybe ACLs.

Create a patched (or wrapped) version of less that runs setUID and only 
permits access to the log files. (Though I'd avoid something as complex 
as less. I'd find a bare-bones pager that is implemented in a few 
screens worth of easily audited C code.)

Rename (or hard link to) your favorite pager, set it setUID, and then 
clamp down its access with AppArmor or SELinux.


> LESSSECURE=1 ... will keep them from using ! in less. 
> Anything other suggestions for cat, more and tail?

'more' probably has something equivalent, but I'm not aware of cat or 
tail having any mechanism to directly invoke a subshell. Of course any 
program that can be used to read files and devices that only root has 
access to could potentially get leveraged to provide greater access.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/