Results 1 to 4 of 4

Thread: Invoking Sudo?

  1. #1

    Default Invoking Sudo?

    Hello,

    I would like to set up an entry in my sudoers file to allow a user to run a command without a password. I would also like to pass options to that command. What I have looks like this:

    myuser (ALL)=(otheruser) NOPASSWD: /bin/myprog

    When invoking it I want to do something like this:

    myuser@myhost> sudo -u otheruser /bin/myprog -option value -option2 value2

    Is there anyway I can enclose those options in quotes and still have sudo run the program?

    The options are built dynamically and I'm wondering if I leave things outside of quotes that there is a potential security risk that users will be able to append their own commands after /bin/myprog.

    Any thoughts?

    Thanks.

  2. #2

    Default Re: Invoking Sudo?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I'm 99% sure that what you're doing should be fine. A subsequent command
    on the same line (after a semicolon for example) should not run in a
    privileged mode at all. Test to be sure, but that is my understanding of
    sudo.

    Also, you need to make sure your program (myprog) does not do anything
    stupid and run code given to it unless you mean it to do that. Nothing
    you do on the command line will do that for you.

    Good luck.




    pwright2 wrote:
    > Hello,
    >
    > I would like to set up an entry in my sudoers file to allow a user to
    > run a command without a password. I would also like to pass options to
    > that command. What I have looks like this:
    >
    > myuser (ALL)=(otheruser) NOPASSWD: /bin/myprog
    >
    > When invoking it I want to do something like this:
    >
    > myuser@myhost> sudo -u otheruser /bin/myprog -option value -option2
    > value2
    >
    > Is there anyway I can enclose those options in quotes and still have
    > sudo run the program?
    >
    > The options are built dynamically and I'm wondering if I leave things
    > outside of quotes that there is a potential security risk that users
    > will be able to append their own commands after /bin/myprog.
    >
    > Any thoughts?
    >
    > Thanks.
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJKxSBdAAoJEF+XTK08PnB54J8P/111AIRqeE4bf4SdzDxwJrcj
    uRV3XCDr6FyOXESft1JRNrEKPAb2zJdSMjCcqwQwnrWDZf4jJJnxohup51ZCYsmp
    t4vbi2GzgsW9GLGOnst0BS4GRZXKk+9VJrYb3Kh77hHyfhODapVOTdRbqN179/KB
    KFsVZxk5sKBI9olJKtDaAP2/gpB7OeqK8iOk/rpmQSsdf9gIGvbmLjPPIXG6ghfh
    g6d2ixK4u6495y7usuFlpCaqxy3LcWu4JaFUYEZ3vGcbcPwWegQG9QVjEl1nVJUy
    8xJnNnxlJSC9uOjJkBipIA9GlphZ8kjLtfzDWcImTZz4a9mrhmhYRFCTi8/nZtXS
    K/Sh65Gjo4hm0jPxDR3x3OlyOBP6Jh9ZRyatPjtjvbprOUhOeIZBXwNaag9t8g+U
    pz7iyWk/WRs5LNJtY7DsjS7qsTvGP+Tf0BQsWYUb/msRlwwWKKTkRYorF9Pi1Ac+
    fMGoHevk8M6J/gc/U8FjxHwxJDqAmqP+u6e1B8h0RXZZYPDxRttGJmtIDLCns5pP
    9oLTWGB9l3mkcF4SLOQPJ27UWL0z38lO9Hd4FwgELRD+rOJKuHp1c9KCkNG7Rc70
    pxxtavi/tB1Q1gg5jibhEUciHTlaiuhcbB8/K740biJJPlrzxQPIG3rf+f2UiVfV
    dDgIESlB2vnLHQRThuG5
    =vJvK
    -----END PGP SIGNATURE-----

  3. #3

    Default Re: Invoking Sudo?

    I did some testing and the options work great. This will be a command invoked from a web application (running under wwwrun).

    For this to work, wwwrun will need to sudo over to another account and run a reporting tool with command options passed in via the application. Some of those are text box inputs (where a user may be able to put a semi-colon or whatever). This would allow the sudo command to run under the report account, and then come back and give control to wwwrun (I think)

    For example (php code):
    $arg1 = $_POST["argument1"];
    $cmd = "/usr/bin/sudo /bin/myprog -arg1 $arg1";
    exec($cmd, $output, $rc);

    If user posts:
    $arg1 as test; rm -rf /var/lib/wwwrun/*

    Then I think this could have potential risks.

    I was thinking 2 things:
    1) wwwrun, to my understanding does not own any "important" files on the filesystem as a default (I checked the /var/lib/wwwrun directory and it is empty). I wonder if this user owns any files by default
    2) I could always enclose the arguments passed via $_POST in quotation marks:

    $cmd = "/usr/bin/sudo /bin/myprog -arg1 \"$arg1\"";

    Any suggestions on which would be better? Maybe a comination of both? Prevent against the possibility of giving command controls to wwwrun, but feel "safer" knowing that this user cannot really cause harm on the filesystem (I suppose it is always possible to kill the web server with some kill commands...)

  4. #4

    Default Re: Invoking Sudo?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    First, be aware that what you're doing is risky and you should probably be
    reading everything in the world on SQL Injection and other types of
    injection as that is what you are up against. If you put double-quotes
    around something what prevents the attacker from putting a quote in there
    as well?

    What you need to be doing is looking at PHP's commands for escaping data
    for use like this.

    http://www.php.net/escapeshellarg

    After that is done make sure you VERY thoroughly test the functionality.
    Quotes should be escaped by this so that may help. If you mess this up or
    if your command via sudo is written poorly you will lose your system.

    Good luck.





    pwright2 wrote:
    > I did some testing and the options work great. This will be a command
    > invoked from a web application (running under wwwrun).
    >
    > For this to work, wwwrun will need to sudo over to another account and
    > run a reporting tool with command options passed in via the application.
    > Some of those are text box inputs (where a user may be able to put a
    > semi-colon or whatever). This would allow the sudo command to run under
    > the report account, and then come back and give control to wwwrun (I
    > think)
    >
    > For example (php code):
    > $arg1 = $_POST["argument1"];
    > $cmd = "/usr/bin/sudo /bin/myprog -arg1 $arg1";
    > exec($cmd, $output, $rc);
    >
    > If user posts:
    > $arg1 as test; rm -rf /var/lib/wwwrun/*
    >
    > Then I think this could have potential risks.
    >
    > I was thinking 2 things:
    > 1) wwwrun, to my understanding does not own any "important" files on
    > the filesystem as a default (I checked the /var/lib/wwwrun directory and
    > it is empty). I wonder if this user owns any files by default
    > 2) I could always enclose the arguments passed via $_POST in quotation
    > marks:
    >
    > $cmd = "/usr/bin/sudo /bin/myprog -arg1 \"$arg1\"";
    >
    > Any suggestions on which would be better? Maybe a comination of both?
    > Prevent against the possibility of giving command controls to wwwrun,
    > but feel "safer" knowing that this user cannot really cause harm on the
    > filesystem (I suppose it is always possible to kill the web server with
    > some kill commands...)
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJKxh8+AAoJEF+XTK08PnB5jzAQAK+VuMDCvAfujoZLZU6vvbLj
    inZgHIyRsKkEOQ91aIXeokjfNXcrAeEY/EViiooQZwCm7U+UQj2JVmpV25o1jA5/
    QzeSHXXq1h7Q4RVWNoYgLjYy8tLSF9QgpQG0hsPFoikB+3ymLLc2X4nLfga0eoK7
    7I1hFpcvKTsgnfkRbQiskohm9SOJuy94eavXv1N9MCN6sUM+6LdF4gqwRWj/Hday
    ISlgyrmb6lWeSPkPdQdPYR0wENsTLK+o9X1frJgQXGZlXcAqejjIPX+id0hL26mt
    sCFFCl0w0D/DBKCIfj2tyuEGOqwddC5Xyv3CN30wiJmzWQSTeq1UKmWQHTvXqMkc
    lStGOO1067uhJoPDu8GxwYl+nC56xj57eDTLI9n7/A43AhUT70J4Mye10fCEknWI
    khG+AXBsHorbm4rRNccm0eK8CO//NzxGjkXW0sEQtmCEUYXJiJl9RXAZN/vtA7D8
    hKtuoXVfzRweHpMmw3oLtNHDkUDsGNuot0TlyKzj++s9E6Sa3kR4nJ2xBZZuKUFb
    YTX6cVo4Hw001qqEQcH5leIbwO0MhNEskiW1ksGTTM66Mi2HjGxHIVdtoHXVZlVr
    kaX3mxSz88tujuJgLe4Tcgw7xcFJtrMm71bigb/87u6Wc5QNWhUySiTeTifDlXtU
    8wumXu1LcjzEgxYkYQz1
    =ZbGt
    -----END PGP SIGNATURE-----

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •