One of the issues I’ve encountered a number of times in
assessments of Linux and AIX environments is the provision of excessive
permissions using sudo. This article is an attempt to highlight those issues
and provide some guidance as to practical resolution.
It is typical in a secured Windows environment that the
administrator username is not used for standard business and that those users
who require elevated privileges are members of the “Domain Admins” Organisation
Unit. The generic windows administrator
account would be renamed, given a randomised long and complex password which
would then be physically secured and access restricted. In Windows, audit trails can be maintained
against each user and users do not execute commands as other users. This is somewhat different in a Linux
environment.
In Linux, it has become more standard to use sudo to
substitute user and do commands. Sudo in its default implementation is
generally in place as (example from CentOS)
wheel ALL = (ALL)
ALL
In Red Hat and CentOS, the members of the wheel group are
provided full sudo privileges. In Ubuntu or Debian this would be the members of
the sudoers group or the admin group.
The above means that a user who is a member of the wheel
group can execute ALL commands as ALL users from ALL terminals. In other words, a member of the wheel group can masquerade
as other users or can drop to a root shell and no longer have a full audit
trail against him.
Users often drop to a root shell to avoid typing sudo before
any command. Dropping to a root shell is usually done doing su -, sudo –i, sudo
–s, sudo bash etc. In order to prevent sudoers from dropping to a root shell,
the shell commands can be removed from the executable files available to the
users. This can be done by editing the sudoers file as follows:
Cmnd_Alias SHELLS
SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, /usr/local/bin/tcsh, usr/bin/rsh, /usr/local/bin/zsh
Cmnd_Alias
SU
SU
= /usr/bin/su
wheel ALL = ALL,
!SHELLS, !SU
In the above members of the wheel group can execute all
commands on all systems except those commands listed in SHELLS and SU. Sometimes it is necessary for users to
drop to a shell when performing administrative functions. Using the above, you
could have a configuration with 1 or 2 users permitted to have root abilities
with other domain admins having the above.
admin ALL = (ALL)
ALL
wheel ALL = ALL,
!SHELLS, !SU
Limit access to the admin group in the same way you might
limit access to the administrator account in Windows.
The problem here that user can perform cp /bin/bash /opt/myprog && sudo /opt/myprog and to get root shell in any case...
ReplyDeleteYou could make the shells immutable with `chattr +i`. I would suggest also making the /usr/bin/sudo binary and /etc/sudoers files immutable. I am still finding additional weaknesses in this, but it's an improvement...
DeleteOther things to consider would be whether the users have the ability to bring in a shell from external and run executables in user writable directories.
"You could make the shells immutable with `chattr +i". we can do this but since USER has all access what if the user does "chattr -i" for the shell and sudoers file????
DeleteThe syntax of
ReplyDeleteCmnd_Alias SU
SU = /usr/bin/su
appears to be wrong.
Cmnd_Alias SU = /usr/bin/su
How to restrit "sudo su" but i need to switch as normal users. Main aim is to restrict root through any means.
ReplyDeleteThanks in advance
Raj
9962591218