Page 1 of 1

sudo script can get a root user

Posted: 2023/08/08 04:21:25
by dev4mobile
I found an issue that can be authorized with the command sudo script

You can execute the command as a normal user

sudo script, then you can get a root user

I found this problem in centos7/centos8

Re: sudo script can get a root user

Posted: 2023/08/08 10:56:52
by TrevorH
And what are you expecting to happen?

If you grant sudo privileges to a user to run `script` then they can run the `script` command as root. If you have set up that script with insecure permissions so that an unauthorized user can change it then that is your problem not a sudo problem.

You need to be more explicit about what you are doing and how and why exactly you think this is a bug. It sounds to me like user error.

Re: sudo script can get a root user

Posted: 2023/08/08 13:48:39
by jlehtone
From man sudo:
execute a command as another user

sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
The "another user" is by default the 'root'.

You can run command id -Gn. It shows the groups that your account is member of. If one of them is 'wheel',
then you can use sudo, because the default security policy allows members of group wheel to run any command
(including scripts) as any user (including root) with sudo.

On can create a policy (a "sudoers rule") that user X can use sudo, but only to run command Y as user Z (i.e. not as root).
Obviously that user can't then be member of wheel, which allows more via sudo.

Re: sudo script can get a root user

Posted: 2023/08/08 22:43:26
by dev4mobile
❯ ssh opc@yuanyuan.remote
[opc@instance-20220112-2214 ~]$ ls
1.txt a.out bak c cxx default.conf factorial.c file-final.pcap go hello.c main nohup.out php pre_download.pcap test tulip workspace
[opc@instance-20220112-2214 ~]$ sudo script
Script started, file is typescript
[root@instance-20220112-2214 opc]# id
uid=0(root) gid=0(root) groups=0(root)
[root@instance-20220112-2214 opc]# id -Gn
root
[root@instance-20220112-2214 opc]# ext
bash: ext: command not found
[root@instance-20220112-2214 opc]# exit
exit
Script done, file is typescript
[opc@instance-20220112-2214 ~]$ id -Gn
opc adm wheel systemd-journal docker
[opc@instance-20220112-2214 ~]$

Re: sudo script can get a root user

Posted: 2023/08/08 23:56:59
by TrevorH
You're a member of group wheel. Members of group wheel have full sudo ability and can do anything as root. The fact that you can start the script command as the root user is expected due to this.

If you create a new user that is not a member of group wheel then it will not be able to do this.

Re: sudo script can get a root user

Posted: 2023/08/09 09:45:30
by jlehtone
TrevorH wrote:
2023/08/08 23:56:59
Members of group wheel have full sudo ability and can do anything as root.
Or as any other user.


I bet that running sudo -l -U opc does show something like:

Code: Select all

Matching Defaults entries for opc on instance-20220112-2214:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=SSH_AUTH_SOCK

User opc may run the following commands on instance-20220112-2214:
    (ALL) ALL
The syntax of rule is (as_whom) what, and here as_whom is ALL.
That is, the user 'opc' can run sudo -u xx script, and it will be user 'xx' that runs the 'script'.
The default sudo script (when you don't use the -u option) is same as sudo -u root script.

The ALL as what says that user 'opc' can use any command with sudo.


The man sudoers explains more.