sudo cp

splunk · 05-10-2008, 11:08 PM

Need to allow a user other than root to copy files into /etc. Trying to setup sudo to allow the user to run the following command:

Code:

sudo cp ./permtest /etc/permtest

I added this line to /etc/sudoers:

Code:

srvrbackup ALL= NOPASSWD: /bin/cp * /etc/

It keeps telling me that the user is not allowed to execute '/bin/cp ./permtest /etc/permtest' as root on localhost.

What I'm trying to do is restrict the user so that they can only copy files from /media/cdrom to /etc.

The permissions on /etc/permtest are:

Code:

-rw-rw-rw- 1 root root 59 May 10 22:43 /etc/permtest

What do I need to change to allow the user permission to copy files into /etc?

blackhole54 · 05-11-2008, 09:15 AM

Quote:

Originally Posted by splunk

I added this line to /etc/sudoers:

Code:

srvrbackup ALL= NOPASSWD: /bin/cp * /etc/

It keeps telling me that the user is not allowed to execute '/bin/cp ./permtest /etc/permtest' as root on localhost.

To run the command (if I understood you correctly)

Code:

sudo cp ./permtest /etc/permtest

I think you would need the rule

Code:

srvrbackup ALL= NOPASSWD: /bin/cp * /etc/*

Which seems incredibly dangerous (for an untrusted user) to me. Actually, allowing copying into the /etc directory is dangerous, but the above rule would also allow users to arbitrarily rename the file in the process! (It also allows them to supply arbitrary options to cp.) If you don't need to rename a file while copying it a to different directory, you don't need to specify the file name in the second argument. I.e., the following two commands do the same thing:

Code:

cp ./permtest /etc/permtest
cp ./permtest /etc/

So if you want the most restrictive rule that doesn't allow options or file renaming, try:

Code:

srvrbackup ALL= NOPASSWD: /bin/cp /media/cdrom/* /etc/

and instruct the users not to repeat the filename in the command.

splunk · 05-11-2008, 11:03 AM

This command is actually going to be used in an automated restore script which reads a list of files to copy. The user will not be able to specify which files get copied.

For those who are learning, here is the rule and how to use it.

Format of sudo rule:

Code:

srvrbackup ALL= NOPASSWD: /bin/cp /media/cdrom/* /etc/*

Usage:

Code:

sudo cp /media/cdrom/$filename /etc/

introuble · 05-11-2008, 11:48 AM

NICE splunk! By the way, lots of fun can be had with:

Code:

$ echo PWNT > /home/issue
$ sudo cp /media/cdrom/../../home/issue /etc/issue

blackhole54 · 05-12-2008, 03:08 AM

Quote:

Originally Posted by splunk

This command is actually going to be used in an automated restore script which reads a list of files to copy. The user will not be able to specify which files get copied.

Yeah, I wasn't paying attention to the username!

So you have it configured so this user can't get a shell to run arbitrary commands? I hope you are using a digitally signed CD or something so that users can't "restore" off of a CD they recorded.

introuble · 05-12-2008, 10:36 AM

I don't get it. Didn't I just point out 'srvrbackup' can virtually do any `cp` operation that root could do? Including copying (and why not, replacing) /etc/shadow; so this allows for fairly easy priviledge escalation.

Perhaps you're going to say "yeah but nobody's going to be able to su to srvrbackup in the first place". Well then:

#1. Go ahead and keep intoruducing holes in your system thinking each (individually) can't be exploited, wait for them to start forming a system.

#2. The sudo line is now overly-complex. It doesn't do what it's supposed to do, you might as well just let srvrbackup use `cp` as root since obviously your source/destination restrictions do not work.