Page 1 of 1
sudo script can get a root user
Posted: 2023/08/08 04:21:25
by dev4mobile
I found an issue that can be authorized with the command sudo script
You can execute the command as a normal user
sudo script, then you can get a root user
I found this problem in centos7/centos8
Re: sudo script can get a root user
Posted: 2023/08/08 10:56:52
by TrevorH
And what are you expecting to happen?
If you grant sudo privileges to a user to run `script` then they can run the `script` command as root. If you have set up that script with insecure permissions so that an unauthorized user can change it then that is your problem not a sudo problem.
You need to be more explicit about what you are doing and how and why exactly you think this is a bug. It sounds to me like user error.
Re: sudo script can get a root user
Posted: 2023/08/08 13:48:39
by jlehtone
From
man sudo:
execute a command as another user
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
The "another user" is by default the 'root'.
You can run command
id -Gn. It shows the groups that your account is member of. If one of them is 'wheel',
then you can use sudo, because the default security policy allows members of group wheel to run any command
(including scripts) as any user (including root) with sudo.
On can create a policy (a "sudoers rule") that user X can use sudo, but only to run command Y as user Z (i.e. not as root).
Obviously that user can't then be member of wheel, which allows more via sudo.
Re: sudo script can get a root user
Posted: 2023/08/08 22:43:26
by dev4mobile
❯ ssh
opc@yuanyuan.remote
[opc@instance-20220112-2214 ~]$ ls
1.txt a.out bak c cxx default.conf factorial.c file-final.pcap go hello.c main nohup.out php pre_download.pcap test tulip workspace
[opc@instance-20220112-2214 ~]$ sudo script
Script started, file is typescript
[root@instance-20220112-2214 opc]# id
uid=0(root) gid=0(root) groups=0(root)
[root@instance-20220112-2214 opc]# id -Gn
root
[root@instance-20220112-2214 opc]# ext
bash: ext: command not found
[root@instance-20220112-2214 opc]# exit
exit
Script done, file is typescript
[opc@instance-20220112-2214 ~]$ id -Gn
opc adm wheel systemd-journal docker
[opc@instance-20220112-2214 ~]$
Re: sudo script can get a root user
Posted: 2023/08/08 23:56:59
by TrevorH
You're a member of group wheel. Members of group wheel have full sudo ability and can do anything as root. The fact that you can start the script command as the root user is expected due to this.
If you create a new user that is not a member of group wheel then it will not be able to do this.
Re: sudo script can get a root user
Posted: 2023/08/09 09:45:30
by jlehtone
TrevorH wrote: ↑2023/08/08 23:56:59
Members of group wheel have full sudo ability and can do anything as root.
Or as any other user.
I bet that running
sudo -l -U opc does show something like:
Code: Select all
Matching Defaults entries for opc on instance-20220112-2214:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=SSH_AUTH_SOCK
User opc may run the following commands on instance-20220112-2214:
(ALL) ALL
The syntax of rule is
(as_whom) what, and here
as_whom is
ALL.
That is, the user 'opc' can run
sudo -u xx script, and it will be user 'xx' that runs the 'script'.
The default
sudo script (when you don't use the -u option) is same as
sudo -u root script.
The
ALL as
what says that user 'opc' can use any command with sudo.
The
man sudoers explains more.