On a linux machine, a non-root user open a file,
$ sudo vi /etc/hosts
and quit saying :sh
to get root access.
1) With above, How a non-root user becomes a root user?
2) Why Linux allow such hacking approach to breach security?
editorsSecuritysudo
On a linux machine, a non-root user open a file,
$ sudo vi /etc/hosts
and quit saying :sh
to get root access.
1) With above, How a non-root user becomes a root user?
2) Why Linux allow such hacking approach to breach security?
Use sudo -E
to preserve your environment:
$ export FOO=1
$ sudo -E env | grep FOO
FOO=1
That will preserve $HOME
and any other environment variables you had, so the same configuration files you started with will be accessed by the programs running as root.
You can update sudoers
to disable the env_reset
setting, which clears out all environment variables and is generally enabled by default. You may have to enable the ability to use sudo -E
at all in there as well. There are a few other sudoers
settings that might be relevant: env_keep
, which lets you specify specific variables to keep by default, and env_remove
, which declares variables to delete always. You can use sudo sudo -V
to see which variables are/are not preserved.
An alternative, if you can't modify sudoers
, is to provide your environment explicitly:
sudo env HOME=$HOME command here
You can make a shell alias to do that automatically so you don't have to type it in.
Note that doing this (either way) can have potentially unwanted side effects: if the program you run tries to make files in your home directory, for example, those files will be created as root and your ordinary user won't be able to write to them.
For the specific case of vim
, you could also put your .vimrc
as the system-wide /etc/vimrc
if you're the only user of this system.
groupadd -r updaters
The -r
option reserves a system group, i.e. 0 - 100.useradd -G updaters john
, useradd -G updaters sally
. You can also use the user alias section to acheive this. See Sudoer File Examples for a fully functioning User Alias Section. In my opinion, doing it the way I've done adds security, as the group actually exists in the system.Cmnd_Alias UPDATE_CMDS = /usr/bin/aptitude, /usr/bin/dpkg, /usr/bin/apt-get up*, /usr/bin/apt-get install
dpkg
is needed for apt-get
. See AskUbuntu: Adding apt-get to sudoers file.apt-get update
and apt-get upgrade
are both needed. Using a glob pattern achieves both.aptitude
may be used to replace apt-get
if the dpkg
behavior noted above is undesired. If you don't want users in the updaters
group to install off the internet with a mouse click...Now we must add our updates into our sudoers file. Issue: visudo
,and:
The default sudoers file from Ubuntu (with adds from above):
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Uncomment to allow members of group sudo to not need a password
# %sudo ALL=NOPASSWD: ALL
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias UPDATE_CMDS = /usr/bin/aptitude, /usr/bin/dpkg, /usr/bin/apt-get up*, /usr/bin/apt-get install
# User privilege specification
root ALL=(ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Members of the upgraders group may perform certain upgrade commands.
# If No Password is desired, comment the line below, and see the next option.
%upgraders ALL=UPDATE_CMDS
# Members of the upgraders group may perform certain upgrade commands,
# WITHOUT A PASSWORD DANGEROUS (uncomment if desired):
#%upgraders ALL=NOPASSWD:UPDATE_CMDS
If you decide to add unattended-upgrade
, read the Debian Documentation on it. and use which unattended-upgrade
to determine the path to add it to UPDATE_CMDS
. See Problem Section.
After even more research, I ran across a Blogpost: Everything you need to know about conffiles: configuration files managed by dpkg. The problem is not in apt variants, the problem is in the underlying dpkg
implementation. Quoting:
Avoiding the conffile prompt
Every time that dpkg must install a new conffile that you have modified (and a removed file is only a particular case of a modified file in dpkg’s eyes), it will stop the upgrade and wait your answer. This can be particularly annoying for major upgrades. That’s why you can give predefined answers to dpkg with the help of multiple --force-conf* options:
- --force-confold: do not modify the current configuration file, the new version is installed with a .dpkg-dist suffix. With this option alone, even configuration files that you have not modified are left untouched. You need to combine it with --force-confdef to let dpkg overwrite configuration files that you have not modified.
- --force-confnew: always install the new version of the configuration file, the current version is kept in a file with the .dpkg-old suffix.
- --force-confdef: ask dpkg to decide alone when it can and prompt otherwise. This is the default behavior of dpkg and this option is mainly useful in combination with --force-confold.
- --force-confmiss: ask dpkg to install the configuration file if it’s currently missing (for example because you have removed the file by mistake).
Knowing this, as the blog points out, we can create /etc/apt/apt.conf.d/local
, and add (example):
Dpkg::Options {
"--force-confdef";
"--force-confold";
}
This should then bypass the Z
option all together.
Unattended Upgrades are usually a bad idea, because the OS may install items that were unexpected, for example new kernels, or updated drivers that will break a functioning driver, added to the idea that you're giving the option to a user. The other issue here is that since apt-get
uses argument passing to decide which option to perform, one must pass each desired option in the Command Alias created. By adding each argument separately, we remove the ability to use the dist-upgrade
argument. Like you, I assumed one could not pass an argument in the sudoers file, and while researching I too, learned something new.
nixCraft - Howto: Linux Add User To Group
Aptitude - Ubuntu Documentation
Ubuntu Forums - Thread: HowTO: Sudoers Configuration
Ubuntu Documentation - Installing Software
AskUbuntu - What is the difference between apt-get update and upgrade?
Best Answer
The non-root user became root as soon as they successfully ran
sudo
(given the assumedroot
target user); they started runningvi
as root. When you askvi
for a shell, it dutifully runs a shell, as the current user -- root! I should clarify that you should not "quit" vi with the:sh
command, as that's asking for a shell. Quit with:q
instead.Linux allows such functionality because that's specifically what
sudo
is intended to do! Perhaps you've seen the lecture that sudo gives:sudo offers a limited "speed bump" to this when it comes to granting "ALL" access, in the form of the
!
negation operator, often demonstrated as:where jill is granted permission to run programs from /usr/bin, but not anything listed in the SU or SHELLS aliases.
The sudoers man page has a whole "Security Notes" section when it comes to granting large-scale access via sudo and then trying to restrict it.
and
and more pertinently: