[ale] sudo tricks and hints

Jerald Sheets questy at gmail.com
Thu Aug 14 12:07:14 EDT 2014


I like to do a few things in sudoers that enhance the experience, and keep me abreast of what’s going on in the environment.  At the top I usually include the following:


Defaults  env_reset
Defaults  listpw=never
Defaults  syslog=auth
Defaults  !lecture
Defaults  log_year, logfile=/var/log/sudo.log
Defaults  mail_badpass
Defaults  mail_no_perms
Defaults  mail_no_user
Defaults  mail_no_host
Defaults mailto=“you at there.com”


A lot of folk either only use a couple of these they’ve picked up over time, but there’s a rich set of things you can set and get enhanced logging and specific behavior from.

As for shell escapes, I’ve managed to work that out for myself.  YMMV:

Cmnd_Alias      NO_SHELLS       = ALL, !SHELLS, !SU, !ACCTCMDS, BAD_JUJU
Cmnd_Alias      BAD_JUJU          = /usr/sbin/killall
Cmnd_Alias      SHELLS              = /bin/bash, /bin/csh, /bin/dash, /bin/sh, /bin/sh, /bin/tcsh, /bin/ksh, /bin/ksh93
Cmnd_Alias      SU                       = /bin/su, /usr/bin/su, /usr/bin/sudo, /usr/sbin/visudo
Cmnd_Alias      ACCTCMDS        = /usr/bin/useradd, /usr/bin/userdel, /usr/bin/usermod, /bin/passwd, \
                                                        /usr/sbin/adduser, /usr/sbin/vipw, /usr/sbin/groupadd, /usr/sbin/groupdel

Then you can apply such characteristics to users like so:

username	ALL		NO_SHELLS

or to a group

%lusers		ALL		NO_SHELLS


Hope that helps a bit.




On Aug 14, 2014, at 5:42 AM, Lightner, Jeff <JLightner at dsservices.com> wrote:

> 
> 
> The main thing is to make sure you are restricting things.   If you're allowing access to scripts especially make sure those are in a location and have permissions so that only root can modify them.   It would be way to easy to add "bash" to the end of a script to make it give you a shell prompt as root.    Similarly don't ever give things like "sudo vi" as vi/vim can escape to the shell.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.ale.org/pipermail/ale/attachments/20140814/a53abb6c/attachment.sig>


More information about the Ale mailing list