UNIX for Advanced & Expert Users

Hello all,

I manage some HP-UX 11.31 servers. I have some users that have sudo access. All of them belong to the 'sudoers' user group. Right now, sudo is configured as wide open:

%sudoers ALL=(ALL) ALL

We are using sudo mostly for auditing purposes - when a user wants to run a privileged command, I want to see exactly what they are doing in syslog.

I have some sneaky users however who are running '/usr/sbin/smh' and also just 'su -' to gain a root shell. I don't like this because I cannot see what they're doing.

What lines can I add to the /etc/sudoers file to block this group from running these commands? I have googled and found lots of examples of allowing a specific list of commands and blocking everything else, but I want the opposite; I want to allow sudoers to run any commands they like, except for the few I specify on my "block list".

Does someone know how I can implement this?

Thank you

The problem is the use of "default permit". Like in a firewall, this opens not just a security hole but all possible security holes. Whenever they think of a new way to get root shells you haven't thought of, they will be able to do it.

Block everything by default. Remove the allow-everything sudo rule. The only holes in the configuration will be ones you open.

Then make individual sudo rules to allow only the few things they actually need.

Thank you for the reply,

Yes I realize that from a security standpoint, your recommendation is the best approach. I'm the senior HP-UX admin here, and all the users that have sudo access are Junior admins, so we're all on the same team. The Junior admins really need to have access to just about everything that root can do, because they need to manage things when I'm out on vacation or whatever, and they need to try things on their own and learn the systems. These are dev & test servers, not production.

I trust them not to break things (too much), I just want there to be an audit trail of who ran what and when, when it comes to privileged commands.

A black list of just a hand ful of items is sure easier to manage than a white list with thousands of things on it.

So yes I understand your recommendation, but in my particular situation, it isn't of great concern if they find another way to get a root shell, I'll just add it to the black list. These Jr. admins aren't super savy hacker types, they mostly just use google and try the first 2 or 3 things they come across.

I fear you are faced with the problem of stopping root from being root, but blacklists appear to be possible using aliases, though they're not called blacklists because you can't say "permit everything" then add another rule saying "...except this". It would end up as more of a "permit everything but this" rule.

Modifying an example from my linux system's man sudoers:

Code:

# From 'man sudoers'
Cmnd_Alias     SU = /usr/bin/su
Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                                /usr/local/bin/tcsh, /usr/bin/rsh, \
                                /usr/local/bin/zsh

# jill may run any commands in the directory /usr/bin/ except for those
# commands belonging to the SU and SHELLS Cmnd_Aliases.
jill           ALL = /usr/bin/, !SU, !SHELLS

Perfect, thank you.

This example works perfectly unless there's a copy/link of /bin/vi in /usr/bin/ directory. Just execute sudo /usr/bin/vi. Press ESC and type :!/bin/sh and bam!! You get a root shell!!

Just recheck if there's anything in /usr/bin directory that can let you escape to shell. If so, make a separate command alias to deny explicitly.

For that matter, they could always try the sledgehammer approach:

Code:

sudo cp /bin/sh /usr/bin/freakazoid ; sudo /usr/bin/freakazoid

..and if you can't let them have cp, what can they have?

You're still stuck trying to stop root from being root.