Odi's astoundingly incomplete notes
New entries | Codeanother broken sudo
$ sudo -l [sudo] password for xxx: Matching Defaults entries for xxx on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, logfile=/var/log/sudolog User xxx may run the following commands on this host: (ALL) ALL, (ALL) /usr/bin/passwd [a-zA-Z0-9_-]*, !/usr/bin/passwd root, (ALL) !/sbin/su*, !/bin/su, !/bin/bash root, !/bin/sh root, (ALL) !/usr/sbin/visudo, (ALL) !sudoedit /etc/sudoers, (ALL) !/usr/bin/* /etc/sudoers, !/bin/* /etc/sudoers, /opt/* /etc/sudoers, (ALL) !/usr/bin/* /etc/shadow, !/bin/* /etc/shadow, !/opt/* /etc/shadow $ sudo bash # whoami rootLook how they wanted to restrict executing bash. And look how they wanted to restrict access to sudoers. All that AFTER giving me ALL(ALL). Again, sudo is a complete failure.
It's always a really stupid idea to first hand out permission to everything and then trying to backpedal and go all like: uh oh... but not that... and this... and not that either... and... ah clever me... You are not going to find all possibilities. Ever.
Add comment