On Mon, 17 Sep 2007, Chris wrote:
> On 9/17/07, Darrin Chandler <[EMAIL PROTECTED]> wrote:
> > problem is. This is why people keep asking you to explain the problem
> > more.
>
> Sorry for being vague. Ok, I have these in /etc/sudoers for joeuser.
> joeuser is also in the wheel group.
>
> joeuser server = NOPASSWD: /sbin/mount, /usr/libexec/locate.updatedb
mount can be leveraged to full root.
> joeuser server = NOPASSWD: /usr/local/bin/vim /var/www/conf/httpd.conf
> joeuser server = NOPASSWD: /usr/local/bin/vim /etc/rc.local
Both of these commands, if done with vi, probably allow joe to
launch a root shell, ex command :!sh I don't think vim has any
better protections.
This was, at one time, a common hole in programs like chpass(1).
And, of course, joe can execute arbitrary commands through rc.local.
> joeuser server = NOPASSWD: /usr/sbin/apachectl
Some sort of cleverness with groups might eliminate this one.
> joeuser server = NOPASSWD: /usr/bin/tail -f /var/www/logs/access_log
> joeuser server = NOPASSWD: /usr/bin/tail -f /var/www/logs/error_log
Just make these readable by group wheel.
> joeuser server = NOPASSWD: /usr/local/bin/vim /etc/motd
> joeuser server = NOPASSWD: /usr/local/bin/vim /etc/pf.conf
Same comments as about previous vi-as-root. Make these files
rw by group wheel, and no sudo is needed. Changes might be needed
to /etc, too. Consider making /etc/motd a symbolic link to a
file that joe can edit without privilege. This might work with
pf.conf, too, but I dunno -- maybe pf chokes if ownership isn't
right? Try an experiment.
> I am finding that I need to add joeuser to use pkg_* tools, tcpdump as well.
>
> Is this the right way to do this?
No, not unless you trust joe with full root.
Dave
--
"America ... might become dictatress of the world.
She would be no longer the ruler of her own spirit."
-- John Quincy Adams, July 4, 1821
