From owner-freebsd-stable@FreeBSD.ORG Sat Apr 28 23:02:25 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0824E106566B for ; Sat, 28 Apr 2012 23:02:25 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id AB85B8FC18 for ; Sat, 28 Apr 2012 23:02:24 +0000 (UTC) Received: by iahk25 with SMTP id k25so3564181iah.13 for ; Sat, 28 Apr 2012 16:02:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=BVhjO6YOw/08av9NmqY+PKTnGKFbPSQUJf3vqx4DMo8=; b=PlCqm5PBZA2kg997ZGKkDBM7HlJ6wEcHXzOYkpbYGtWHJPM4dA91we9zj/re4sOE8S ENfv2n1n+QlLjKCmCH2MK4jmV2YOJKsjNZigNgA34YStE435lEjp1KLCEfXoXb2i+Uxq lABNw66HIhTsTEfG3CJUcTmt4z+WIM8HQL1lc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=BVhjO6YOw/08av9NmqY+PKTnGKFbPSQUJf3vqx4DMo8=; b=INf6lI5TCMl75Budhg/I4TE2ktwzJtdmc0/7XBhVvIo2iK8lYBcqJhErLi82RJyhns hzNncscqavr0T8BzQ2RO0bsLgoWS3LpVvyNL468zcUg9qXOgRoFl+Gt3Tv3Of8+TUPFW kBrrE6jO1gKGEcM8nE42DsLEA28x0xjw1xZyyimTjU16NxvRvtF+X5eh76stg5mL2fZv ZQUmrU6H2O5YXLqHUvzfk8V9g3xm2JlI9HpOdz6mbrOd2a+moaNfyliuQeLNPy/2sywB 8KAY3ihCD6x/FOoYDoNn2pXMBYWl64O5q7Z2yiBYl653nxO2AE0VyLrJlP4OUVr+6/l6 P7hQ== Received: by 10.50.197.132 with SMTP id iu4mr6935298igc.4.1335654138002; Sat, 28 Apr 2012 16:02:18 -0700 (PDT) Received: from DataIX.net (adsl-99-181-146-133.dsl.klmzmi.sbcglobal.net. [99.181.146.133]) by mx.google.com with ESMTPS id n1sm8545133igm.7.2012.04.28.16.02.17 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 28 Apr 2012 16:02:17 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q3SN2EqX035322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 28 Apr 2012 19:02:14 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q3SN2ERe035321; Sat, 28 Apr 2012 19:02:14 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Sat, 28 Apr 2012 19:02:14 -0400 From: Jason Hellenthal To: Kurt Jaeger Message-ID: <20120428230214.GA34324@DataIX.net> References: <4F9BBABA.6040708@rdtc.ru> <0F37A1B9-993B-4A4E-9FCC-8B19AADCFB72@punkt.de> <20120428102117.GX37811@e-new.0x20.net> <20120428180431.GP5335@home.opsec.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120428180431.GP5335@home.opsec.eu> X-Gm-Message-State: ALoCoQkelZEiUVLXEfqHhfisttZ2rVSwSnPdSg7L65DSbjPWNy6XH/SQ6gk9rokYuAGtYjBEdkDS Cc: freebsd-stable@freebsd.org Subject: Re: Restricting users from certain privileges X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2012 23:02:25 -0000 On Sat, Apr 28, 2012 at 08:04:31PM +0200, Kurt Jaeger wrote: > Hi! > > > > > Please do study sudo real power :-) > > > > It can give selective privileges per-command, > [...] > > > Just make sure none of the permitted commands has got the > > > feature of starting a shell ;-)) > > > > Right, think of vi(1), less(1), et al. > > Even this aspect is taken care of with sudo (at least to a certain limit): > > NOEXEC and EXEC > > If sudo has been compiled with noexec support and the underlying > operating system supports it, the NOEXEC tag can be used to prevent a > dynamically-linked executable from running further commands itself. > > In the following example, user aaron may run /usr/bin/more and > /usr/bin/vi but shell escapes will be disabled. > > aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi > > See the "PREVENTING SHELL ESCAPES" section below for more details on > how NOEXEC works and whether or not it will work on your system. > cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi You need to be very careful with this NOEXEC thinking as it will not always get you what you originally intended. -- - (2^(N-1))