|Think about Loose Coupling|
semi secure sudo script to allow restricted copy abilityby 5mi11er (Deacon)
|on May 06, 2008 at 16:56 UTC||Need Help??|
5mi11er has asked for the
wisdom of the Perl Monks concerning the following question:
I've had a lengthy hiatus from perl monks, but I've been lurking around off and on in the last few months.
Anyway, I've recently been forced to actually learn about sudo; I've known it existed, but didn't want/need to take the time to learn about it. (I've lived as root for most of my linux life)
But now at a client site, they're in dire need of being able to script making administrative tasks across their servers. So, I've created a normal user "admin" account which is able to ssh via pki (no password needed) across all the servers.
During my investigation of sudo, I've come to realize just how easy it is to allow too much access that would in turn allow pretty trivial exploits to gain full root access. Simply allowing any copy, or move functionality pretty much grants root access. But without that functionality, it's impossible to allow the admin user the ability to do many tasks we want to be able to automate.
Now admittedly, we've already give the user relatively easy exploits by granting them the ability to install software via yum and rpm. But those entail at least some additional non-trivial work to accomplish the task, so we're willing to allow that vulnerability. But I think it's possible to create a semi-secure perl script that would allow this user the ability to copy to a restricted list of files.
Here's a run down of what I think the script needs do:
o Allow only simple file copies, no recursive/directory copies allowed. o No symbolic links allowed, more on this later o Check a root owned file for a list of valid targets To allow or not allow perl regexes to define valid targets? Not convinced either way yet.Given two user supplied file path names, we need to potentially de-obfuscate the names. I've done this already in other scripts I've written by simply making the file system do the work for me. I use basename to grab the path, and then attempt to CD into that path, then get the CWD. Presto, a de-obfuscated path.
This helps serve the "no symbolic links" restriction, as any de-obfuscated path should not have any symbolic links within the path. Which means I only have to check if the actual "file" being referenced is a symbolic link itself, a pretty easy test.
So, are there any big "gotcha's" in this scheme that I've missed? Obviously the files available to modify have to be carefully considered; /etc/passwd /etc/shadow any /etc/cron* areas are all extremely dangerous...
Thanks in advance,