funsec mailing list archives
symlink creation (and sudo)
From: Damian Gerow <dgerow () afflictions org>
Date: Thu, 27 May 2010 11:41:20 -0400
(Perhaps a bit of a newbie question, but I'm not finding anything on Google.) I'm working with some people to restrict our current sudo configuration from ALL to something a little more reasonable. Until we fully adopt a whitelist configuration, we've got a blacklist in place with the usual suspects: editors, shells, sed/awk/tee/perl, etc., as well as some more obtuse ones (specific to our environment). So we started playing around with the configuration, seeing how many holes we could find (stress relief), and we were surprised to find the following: % sudoedit /etc/sudoers Sorry, user dwg is not allowed to execute 'sudoedit /etc/sudoers' on <host>. % ln -s /etc/sudoers bob % sudoedit bob <make changes, save, quit> % The shocking part isn't the 'sudoedit bob', but that my user is allowed to create the symlink in the first place. sudoers is 0440, and I'm not in its group, so I'd have expected this to fail. I could have sworn that I'd be unable to symlink to a file to which I have no read access, and my co-workers felt the same way. In fact, I have very specific memories of being unable to do just this, but I've been able to do it on multiple systems (various Linux flavours, up to FC11, and a very recent FreeBSD). So, it's possible that I'm just confusing things with an OWL/GRSec/etc. kernel from a previous life. So, leaving aside the fact that a 'proper' sudo configuration based on blacklists is impossible, my questions are: Is this behaviour not tunable? Is there some knob somewhere I can twiddle to not allow symlink creation to files to which the user has no read access? But perhaps more importantly, I don't understand why I'd be allowed to do this in the first place. Why should a generic user be allowed to create symlinks to protected system files? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- symlink creation (and sudo) Damian Gerow (May 27)
- Re: symlink creation (and sudo) Bill Weiss (May 27)
- Re: symlink creation (and sudo) Valdis . Kletnieks (May 27)
- Re: symlink creation (and sudo) Damian Gerow (May 27)
- Re: symlink creation (and sudo) Valdis . Kletnieks (May 27)
- Re: symlink creation (and sudo) Damian Gerow (May 27)
- Re: symlink creation (and sudo) der Mouse (May 27)
- Re: symlink creation (and sudo) Damian Gerow (May 27)