I found an issue that can be authorized with the command sudo script
You can execute the command as a normal user
sudo script, then you can get a root user
I found this problem in centos7/centos8
sudo script can get a root user
Re: sudo script can get a root user
And what are you expecting to happen?
If you grant sudo privileges to a user to run `script` then they can run the `script` command as root. If you have set up that script with insecure permissions so that an unauthorized user can change it then that is your problem not a sudo problem.
You need to be more explicit about what you are doing and how and why exactly you think this is a bug. It sounds to me like user error.
If you grant sudo privileges to a user to run `script` then they can run the `script` command as root. If you have set up that script with insecure permissions so that an unauthorized user can change it then that is your problem not a sudo problem.
You need to be more explicit about what you are doing and how and why exactly you think this is a bug. It sounds to me like user error.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: sudo script can get a root user
From man sudo:
You can run command id -Gn. It shows the groups that your account is member of. If one of them is 'wheel',
then you can use sudo, because the default security policy allows members of group wheel to run any command
(including scripts) as any user (including root) with sudo.
On can create a policy (a "sudoers rule") that user X can use sudo, but only to run command Y as user Z (i.e. not as root).
Obviously that user can't then be member of wheel, which allows more via sudo.
The "another user" is by default the 'root'.execute a command as another user
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.
You can run command id -Gn. It shows the groups that your account is member of. If one of them is 'wheel',
then you can use sudo, because the default security policy allows members of group wheel to run any command
(including scripts) as any user (including root) with sudo.
On can create a policy (a "sudoers rule") that user X can use sudo, but only to run command Y as user Z (i.e. not as root).
Obviously that user can't then be member of wheel, which allows more via sudo.
-
- Posts: 2
- Joined: 2023/08/08 04:08:04
Re: sudo script can get a root user
❯ ssh opc@yuanyuan.remote
[opc@instance-20220112-2214 ~]$ ls
1.txt a.out bak c cxx default.conf factorial.c file-final.pcap go hello.c main nohup.out php pre_download.pcap test tulip workspace
[opc@instance-20220112-2214 ~]$ sudo script
Script started, file is typescript
[root@instance-20220112-2214 opc]# id
uid=0(root) gid=0(root) groups=0(root)
[root@instance-20220112-2214 opc]# id -Gn
root
[root@instance-20220112-2214 opc]# ext
bash: ext: command not found
[root@instance-20220112-2214 opc]# exit
exit
Script done, file is typescript
[opc@instance-20220112-2214 ~]$ id -Gn
opc adm wheel systemd-journal docker
[opc@instance-20220112-2214 ~]$
[opc@instance-20220112-2214 ~]$ ls
1.txt a.out bak c cxx default.conf factorial.c file-final.pcap go hello.c main nohup.out php pre_download.pcap test tulip workspace
[opc@instance-20220112-2214 ~]$ sudo script
Script started, file is typescript
[root@instance-20220112-2214 opc]# id
uid=0(root) gid=0(root) groups=0(root)
[root@instance-20220112-2214 opc]# id -Gn
root
[root@instance-20220112-2214 opc]# ext
bash: ext: command not found
[root@instance-20220112-2214 opc]# exit
exit
Script done, file is typescript
[opc@instance-20220112-2214 ~]$ id -Gn
opc adm wheel systemd-journal docker
[opc@instance-20220112-2214 ~]$
Re: sudo script can get a root user
You're a member of group wheel. Members of group wheel have full sudo ability and can do anything as root. The fact that you can start the script command as the root user is expected due to this.
If you create a new user that is not a member of group wheel then it will not be able to do this.
If you create a new user that is not a member of group wheel then it will not be able to do this.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: sudo script can get a root user
Or as any other user.
I bet that running sudo -l -U opc does show something like:
Code: Select all
Matching Defaults entries for opc on instance-20220112-2214:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+=SSH_AUTH_SOCK
User opc may run the following commands on instance-20220112-2214:
(ALL) ALL
That is, the user 'opc' can run sudo -u xx script, and it will be user 'xx' that runs the 'script'.
The default sudo script (when you don't use the -u option) is same as sudo -u root script.
The ALL as what says that user 'opc' can use any command with sudo.
The man sudoers explains more.