Date: Sat, 28 Apr 2012 19:02:14 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Kurt Jaeger <lists@opsec.eu> Cc: freebsd-stable@freebsd.org Subject: Re: Restricting users from certain privileges Message-ID: <20120428230214.GA34324@DataIX.net> In-Reply-To: <20120428180431.GP5335@home.opsec.eu> References: <CACuV5sCyCgn8aBawTEP=BT%2B%2B4Ut4kPt8fXSq%2BgcS2YrkZaU%2BJw@mail.gmail.com> <E1SO2ER-000K66-8k@kabab.cs.huji.ac.il> <CACuV5sCHmnUnXTTY%2BkGqszi-Ynu8Vr3bf%2BLALf=yQbhHPXSdXA@mail.gmail.com> <4F9BBABA.6040708@rdtc.ru> <0F37A1B9-993B-4A4E-9FCC-8B19AADCFB72@punkt.de> <20120428102117.GX37811@e-new.0x20.net> <20120428180431.GP5335@home.opsec.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 28, 2012 at 08:04:31PM +0200, Kurt Jaeger wrote: > Hi! > > > > > Please do study sudo real power :-) > > > > It can give selective privileges per-command, > [...] > > > Just make sure none of the permitted commands has got the > > > feature of starting a shell ;-)) > > > > Right, think of vi(1), less(1), et al. > > Even this aspect is taken care of with sudo (at least to a certain limit): > > NOEXEC and EXEC > > If sudo has been compiled with noexec support and the underlying > operating system supports it, the NOEXEC tag can be used to prevent a > dynamically-linked executable from running further commands itself. > > In the following example, user aaron may run /usr/bin/more and > /usr/bin/vi but shell escapes will be disabled. > > aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi > > See the "PREVENTING SHELL ESCAPES" section below for more details on > how NOEXEC works and whether or not it will work on your system. > cp /usr/bin/vi ~/ or upload your own... sudo $HOME/vi You need to be very careful with this NOEXEC thinking as it will not always get you what you originally intended. -- - (2^(N-1))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120428230214.GA34324>