Sudo allows admins to give users permissions to perform actions as the root user. Normally when you give a user sudo you limit the commands that they can run as to not give any user full control over your system. If you use any of the default examples for sudo that can be found all over the internet and in the sample configs, you maybe giving users more access to the system than you realize. This permission creep is due to the fact that some commands allow you to execute other commands or spawn shells, and these commands and shells are spawned with the context of the root user, some common examples are text editors, more, less and find.

normal-sudo-config.PNG

Figure: What a quick configuration for the user saurabh may look like, ALL=(ALL:ALL) and the commands he has sudo permissions to run.

sudo-vi-escalate.PNG

Figure: The user saurabh spawning a shell using the :sh command from in vi which produces a shell with root permissions.

sudo-find-escalate.PNG

Figure: Using the exec option of find to spawn a root shell when a file is found.

It is ok though there are ways to prevent this kind of behavior from happening, such as using NOEXEC option in the /etc/sudoers file. The NOEXEC option prevents some binaries from executing other programs, the limitation to the NOEXEC option is that is doesn't work on statically linked executables or executables that use binary emulation.

noexec-sudo-config.PNG

Figure: Changing the (ALL:ALL) to NOEXEC: for the user saurabh.

escalation-failure.PNG

Figure: The same commands fail this time around since they are not allowed to run commands.

A cleaner way to allow users to edit files with the use of sudo is the sudoedit command. The sudoedit command allows for users to edit a file with their favorite text editor and the sudo permissions. A user sets their text editor path as the $SUDO_EDITOR variable. This allows admins to only add one new line to the sudoers file instead of one for each text editor on the system or only using one text editor that users may not be able to use which could cause accidental or unintended file modification.

Also of not exit you use the sudoedit command the noexec option is not needed since when you run commands from the editor the commands are run as the orginal user and not the elevated user typically root.

sudoedit-sudoers.PNG

Figure: The adjusted /etc/sudoers file to remove the use of specific text editors and use the sudoedit command.

sudoedit-editor.PNG

Figure: Attempts to execute /bin/bash from sudoedit fail and you can change the editor that is used by the user without having to modify the /etc/sudoers file.