AIX x sudo 1.6.9p17 - Aix

This is a discussion on AIX x sudo 1.6.9p17 - Aix ; I知 trying to restrict the use of a few tools on AIX known by its shell escapes history. I started the tests with vi, crontab, less and find. The problem is: I cannot use the command crontab -e anymore. Even ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: AIX x sudo 1.6.9p17

  1. AIX x sudo 1.6.9p17

    I知 trying to restrict the use of a few tools on AIX known by its
    shell escapes history.
    I started the tests with vi, crontab, less and find.
    The problem is: I cannot use the command crontab -e anymore. Even if I
    remove vi from the list.
    Does anyone knows how to make it work? Is any other way to accomplish
    that?
    Here is the NOEXEC declaration in the sudoers file:
    Cmnd_Alias NOEXCMD = /usr/bin/vi, /usr/bin/crontab, /usr/bin/
    less, /usr/bin/find
    Any help will be greatly appreciate,

    Jackson

  2. Re: AIX x sudo 1.6.9p17

    On Sep 17, 8:23 am, Jack wrote:
    > I知 trying to restrict the use of a few tools on AIX known by its
    > shell escapes history.
    > I started the tests with vi, crontab, less and find.
    > The problem is: I cannot use the command crontab -e anymore. Even if I
    > remove vi from the list.
    > Does anyone knows how to make it work? Is any other way to accomplish
    > that?
    > Here is the NOEXEC declaration in the sudoers file:
    > Cmnd_Alias NOEXCMD = /usr/bin/vi, /usr/bin/crontab, /usr/bin/
    > less, /usr/bin/find
    > Any help will be greatly appreciate,
    >
    > Jackson


    no way I'd allow vi , find or crontab to any users except the sys
    admin' they're a very wide door.....

    what's the shell escape problem ?

  3. Re: AIX x sudo 1.6.9p17

    On 09/17/2008 11:06 PM, Henry wrote:
    > no way I'd allow vi , find or crontab to any users except the sys
    > admin' they're a very wide door.....


    Why do you think these standard facilities present a security risk, and
    that sudo is the most appropriate solution?

    The "AIX way" is to control cron access with cron.allow and cron.deny.

    Deny access to vi and find? Why not echo, cat and ls as well then? If
    the permissions of the file-systems are correct, these should not
    present a risk.

    regards,
    Niel



  4. Re: AIX x sudo 1.6.9p17

    On 09/18/2008 08:01 AM, Niel Lambrechts wrote:
    > On 09/17/2008 11:06 PM, Henry wrote:
    >> no way I'd allow vi , find or crontab to any users except the sys
    >> admin' they're a very wide door.....

    >
    > Why do you think these standard facilities present a security risk, and
    > that sudo is the most appropriate solution?


    Mmm... sorry, I thought the OP wanted to deny access to the tools for
    _regular_ users.

    I'd never grant access for a regular user to run vi, find or crontab as
    root, even given a shell escape control option!

    From what I can find, NOEXEC does not work for ksh on AIX and you'd need
    to create a wrapper scrip that contains:

    export SHELL=/usr/bin/false
    $*

    and then call sudo /usr/local/bin/script

    Niel

  5. Re: AIX x sudo 1.6.9p17

    Guys,
    I only want to allow these commands for the system administrator users
    but I want to make sure that while executing these commands as root
    they ARE not going to escape to a root shell. To avoid this there is
    the NOEXEC option on sudo that, according to the sudo page (http://
    www.sudo.ws/sudo/changes.html), it is supposed to be working since
    version 1.6.9p14.
    I know that there are other tools that allow the shell escape but I
    would like to focus my test on these ones for now, more specifically
    in crontab -e that is not working. I知 also using cron.allow and
    cron.deny but in this case I would like to allow a system
    administrator to edit the root痴 crontab.
    I will keep doing test and I値l let you know if I make any progress.
    Any comments are still greatly appreciated.

    Jack

  6. Re: AIX x sudo 1.6.9p17

    On Sep 18, 7:01 pm, Niel Lambrechts wrote:
    > On 09/17/2008 11:06 PM, Henry wrote:
    >
    > > no way I'd allow vi , find or crontab to any users except the sys
    > > admin' they're a very wide door.....

    >
    > Why do you think these standard facilities present a security risk, and
    > that sudo is the most appropriate solution?
    >
    > The "AIX way" is to control cron access with cron.allow and cron.deny.
    >
    > Deny access to vi and find? Why not echo, cat and ls as well then? If
    > the permissions of the file-systems are correct, these should not
    > present a risk.
    >
    > regards,
    > Niel


    my ranting isn't restricted to the tools I specified - DENY ALL is the
    only way
    a well setup system shouldn't need root access allowed to anyone; and
    sudo with Shell wrappers should take care of exceptions.
    However, I totally missed the point (something I do a lot) as the
    query was about sudo and NOEXEC with Shell escapes.

+ Reply to Thread