Re: Sudo

Re: Sudo

[Pradeep Kumar Sadanapalli]

Thanks subhash for guiding me in the right direction and thank you all for all your responses . This is what I did.

In the sudoers file,I added this

"
#To restrict the user in installing any rpm starting with abc

Cmnd_Alias NOACCESS = /bin/rpm *abc*
user1 host-name=NOACCESS

"
Now the user 'user1' will not be able to install/uninstall/query any rpm package that has abc in it. 

But the problem is , say user1 wants to install abc.rpm and as he is restricted , he/she cannot install. But there is one way. If the user changes the name of the rpm, say "cp abc.rpm xyz.rpm" and then user1 can easily install xyz.rpm . And if you login as root and query for the package abc.rpm, it says abc.rpm is installed , even though the user has installed it with a different name. 

How to get rid of this? Is it possible to detect which rpm package is going t o be installed , even if it's name is changed, by somehow looking into internal packages or something like that. Please help me with this. I hope I made my point clear. Thanks a lot in advance....


--- "Subhash Bhushan" <subhash_bhushan@hotmail.com> wrote:
>>From: Pradeep Kumar Sadanapalli <spradeep@ceeby.com>
>>Reply-To: spradeep@ceeby.com
>>To: linux-admin@vger.kernel.org
>>Subject: Sudo
>>Date: Tue, 17 Jun 2003 20:16:59 -0700 (PDT)
>>
>>Hi,
>>I have given sudo rights to a user for the command "rpm" . but within rpm, 
>>I want to keep some restrictions. For example, the user should not be able 
>>to run "rpm" to install a package I wish, say "abc.rpm" .
>>
>>That means  "sudo rpm -ivh any.rpm" should work except "sudo rpm -ivh 
>>abc.rpm"
>>
>>Is it possible? If so, please help me out how to do this. I hope I am clear 
>>with what I intend to do .
>>
>>Thanks in advance....
>>
>
>
>Specify a command alias with the specific rpm command that you want to deny.
>Specify a user alias for all the users you want to prevent from running this 
>command.
>In the user previlege specification, negate the permission for the running 
>the command for those users.
>
>The trick is to specify the complete command in the command alias. Be 
>careful not to allow any combinations of rpm command to be able to run with 
>that specific rpm.
>
>Subhash Bhushan.
>
>
>
>_____________________________________________________________
>>Search - Browse - Communicate
>>http://www.ceeby.com
>>Best Meta Search Engine on the Web.
>>
>>_____________________________________________________________
>>Select your own custom email address for FREE! Get you@yourchoice.com, No 
>>Ads, 6MB, IMAP, POP, SMTP & more! 
>>http://www.everyone.net/selectmail?campaign=tag
>>-
>>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>>the body of a message to majordomo@vger.kernel.org
>>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>_________________________________________________________________
>Bollywood's back! Will June keep up the tempo? 
>http://server1.msn.co.in/features/junemovies03/index.asp

_____________________________________________________________
Search - Browse - Communicate
http://www.ceeby.com
Best Meta Search Engine on the Web.

_____________________________________________________________
Select your own custom email address for FREE! Get you@yourchoice.com, No Ads, 6MB, IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag

Re: Sudo

[Arvind]

[-- Attachment #1: Type: text/plain, Size: 1244 bytes --]

Hi,

>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> But the problem is , say user1 wants to install abc.rpm and as
> he is restricted , he/she cannot install. But there is one way.
> If the user changes the name of the rpm, say "cp abc.rpm
> xyz.rpm" and then user1 can easily install xyz.rpm . And if you
> login as root and query for the package abc.rpm, it says
> abc.rpm is installed , even though the user has installed it
> with a different name. 

Here's one way to do it, using an external script, though:

1. Create a file (say reject.rpms) with a newline delimited list
   of rpm regexs to reject. This is a list of the real rpm names.
   Ex:

    $ cat reject.rpms
    abc.*
    pqr.*

2. Then, write a small shell script like the one attatched as a
   wrapper to rpm (say userrpm).

3. Give root permission to this script in /etc/sudoers, without
   password.

   user  ALL=(root) NOPASSWD:/usr/local/bin/userrpm

Your users will have to use this as:

$ sudo userrpm -Uvh abc-1.0.0.rpm

Well, as has been already been mentioned many times in this
thread, this is extremely insecure. It's not very difficult to
get past even this check. I wouldn't recommend using this.

Arvind
-- 
   .~.
   /V\
  // \\
 /(   )\
  ^`~'^




[-- Attachment #2: userrpm --]
[-- Type: text/plain, Size: 520 bytes --]

#!/bin/ksh

# Get a list of rpms from the command line. That is, ignore all rpm
# options and so on.
rpmlist="`echo $* | tr -s ' ' '\n' | grep '\.rpm$'`"

for each in $rpmlist
do
    # Get the actual rpm name.
    rpmname="`rpm -qp "$each" --qf '%{NAME}'`"
    # Check against given list of rpms to reject.
    retval="`echo $rpmname | grep -v -q -f reject.rpms; echo $?`"
    if [ "$retval" != 0 ]
    then
        echo "You don't have permission to install $each ($rpmname)."
        exit 1
    fi
done

exec rpm "$@"

sudo

[Clarkson, Mike R (US SSA)]

Should sudo work with the strict policy? Using the RHEL5.1 strict
policy, sudo doesn't work in enforcing mode. Looking at the audit logs,
quite a few rules need to be added to get it working. This is seems to
be the case when I'm in either the staff_t or sysadm_t domain. Is there
an easy trick to get sudo working? Or do I just need to use the audit
logs to figure out which rules I need to add?

Thanks



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Sudo

[Subhash Bhushan]

>From: Pradeep Kumar Sadanapalli <spradeep@ceeby.com>
>Reply-To: spradeep@ceeby.com
>To: linux-admin@vger.kernel.org
>Subject: Sudo
>Date: Tue, 17 Jun 2003 20:16:59 -0700 (PDT)
>
>Hi,
>I have given sudo rights to a user for the command "rpm" . but within rpm, 
>I want to keep some restrictions. For example, the user should not be able 
>to run "rpm" to install a package I wish, say "abc.rpm" .
>
>That means  "sudo rpm -ivh any.rpm" should work except "sudo rpm -ivh 
>abc.rpm"
>
>Is it possible? If so, please help me out how to do this. I hope I am clear 
>with what I intend to do .
>
>Thanks in advance....
>


Specify a command alias with the specific rpm command that you want to deny.
Specify a user alias for all the users you want to prevent from running this 
command.
In the user previlege specification, negate the permission for the running 
the command for those users.

The trick is to specify the complete command in the command alias. Be 
careful not to allow any combinations of rpm command to be able to run with 
that specific rpm.

Subhash Bhushan.



_____________________________________________________________
>Search - Browse - Communicate
>http://www.ceeby.com
>Best Meta Search Engine on the Web.
>
>_____________________________________________________________
>Select your own custom email address for FREE! Get you@yourchoice.com, No 
>Ads, 6MB, IMAP, POP, SMTP & more! 
>http://www.everyone.net/selectmail?campaign=tag
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html

_________________________________________________________________
Bollywood's back! Will June keep up the tempo? 
http://server1.msn.co.in/features/junemovies03/index.asp

Sudo

[Pradeep Kumar Sadanapalli]

Hi,
I have given sudo rights to a user for the command "rpm" . but within rpm, I want to keep some restrictions. For example, the user should not be able to run "rpm" to install a package I wish, say "abc.rpm" .

That means  "sudo rpm -ivh any.rpm" should work except "sudo rpm -ivh abc.rpm" 

Is it possible? If so, please help me out how to do this. I hope I am clear with what I intend to do .

Thanks in advance....

_____________________________________________________________
Search - Browse - Communicate
http://www.ceeby.com
Best Meta Search Engine on the Web.

_____________________________________________________________
Select your own custom email address for FREE! Get you@yourchoice.com, No Ads, 6MB, IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag

Re: Sudo

[Glynn Clements]

Pradeep Kumar Sadanapalli wrote:

> I have given sudo rights to a user for the command "rpm" . but within
> rpm, I want to keep some restrictions. For example, the user should
> not be able to run "rpm" to install a package I wish, say "abc.rpm" .
> 
> That means "sudo rpm -ivh any.rpm" should work except "sudo rpm -ivh
> abc.rpm"

If a user can run RPM as root, they can create and subsequently
install their own RPMs, e.g. one which gives them a root shell.

If you don't trust the user with unrestricted root privilege, be very,
very careful about giving them "sudo" privilege. Many programs can be
"tricked" into doing things which they weren't intended to do.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: Sudo

[Brian Davidson]

To do what you're talking about, you would need to have sudo call a 
shell script that you write.  The shell script then would have to check 
& see if the package was allowed.  As has been mentioned, this can be 
pretty dangerous..  You might want to instead check to see if the 
package the user requested is in an allowed list.  Of course then you 
have to explicitly list all packages the user is allowed to install.

On Tuesday, June 17, 2003, at 11:16 PM, Pradeep Kumar Sadanapalli wrote:

> Hi,
> I have given sudo rights to a user for the command "rpm" . but within 
> rpm, I want to keep some restrictions. For example, the user should 
> not be able to run "rpm" to install a package I wish, say "abc.rpm" .
>
> That means  "sudo rpm -ivh any.rpm" should work except "sudo rpm -ivh 
> abc.rpm"
>
> Is it possible? If so, please help me out how to do this. I hope I am 
> clear with what I intend to do .
>
> Thanks in advance....