On Mon, Apr 27, 2015 at 1:44 PM, Richo Healey <ri...@psych0tik.net> wrote:
> On 28/04/15 05:28 +1200, Carlin Bingham wrote: > >> On Tue, 28 Apr 2015, at 04:46 AM, whynot sudo wrote: >> >>> Hello list, >>> >>> We know it's safer* to use sudoedit, but what bad things can happen if we >>> have the following in sudoers? >>> >>> Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi >>> foouser LOCALHOST = NOPASSWD: NOEXEC: FOO >>> >>> Can the "foouser" escape to root prompt? - of course besides that he >>> could now edit the /etc/shadow file to put a custom pwd hash to the root >>> user to become root in about 3 seconds.. >>> >>> Maybe some magic in .vimrc? >>> >>> *=sudo vi would run as root. but sudoedit would run as the given user, >>> the edited file will be copied before/after editing it. >>> >>> Thanks. >>> >>> >> $ sudo vi /bin/ksh >> :w! /bin/ed >> :q >> $ sudo ed >> # >> > > You can skip some mangling: > > $ sudo vi > :!/bin/sh > # > > Except the sudo policy provided would prevent this with NOEXEC flag.
