Never engineer a situation where restricted sudoers are given the ability to elevate their permissions or other account permissions. Use care to determine if utilities that sudoers are assigned to access (via sudo) could potentially be used to enhance their level of access or access for others with whom they could potentially collude. For instance, seemingly benign, everyday utilities like cat, echo, and vi can easily be used to overwrite existing configuration files and modify permissions if given root access.
Even in the tcpdump example mentioned previously, there are issues you need to consider. Part of the reason the hypothetical security analyst was given sudo access to /usr/sbin/tcpdump, and not provided the root password, was to allow the creation of new tcpdump files, but prevent the analyst from viewing ones that already existed on the system. To prevent the analyst from gaining access to the existing tcpdump files, the files should be given the permissions 60 0 (rw-------) and should also be owned by root.
Take a look at the following example and observe how the analyst could utilize his/ her sudo access to a single process and gain elevated, unintended access to files:
-rw------- 1 root root 3858884 Oct 10 14:29 traffic.out [email protected]:/var/traffic> sudo /usr/sbin/tcpdump -r traffic.out -w traffic.out2 reading from file traffic.out, link-type EN10MB (Ethernet) [email protected]:/var/traffic> ls -l total 7551
-rw------- 1 root root 3858884 Oct 10 14:29 traffic.out
-rw-r—r-- 1 root root 3858884 Oct 10 14:43 traffic.out2
Notice that the traffic.out2 file is world-readable. The analyst has used his or her respective permissions to gain unintended and undesirable access to supposedly protected resources.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.