Sudo Mastery: User Access Control for Real People (IT Mastery Book 3) by Michael W Lucas

Author:Michael W Lucas [Lucas, Michael W]
Language: eng
Format: mobi
Publisher: Tilted Windmill Press
Published: 2013-11-14T03:00:00+00:00

Environment Customization

A sudo policy can do more than just allow and disallow environment variables; it can explicitly set variables. Sudoers policies let you set the user's path, and you can also set arbitrary environment variables if needed.

Managing $PATH

One environment variable is a little trickier than most. Many intruders try to sabotage a user's $PATH, so that the user will run a bogus version of commands rather than the proper one. If a helpdesk flunky needs to reset a user's password, but he runs the program /tmp/.1234/hacker/passwd rather than /usr/bin/passwd, bad things will happen. Use the secure_path option to define your trusted path for sudo commands.

Defaults secure_path="/bin /usr/bin /sbin /usr/sbin"

Sudo tries to run the command using the secure path. If the command isn't in the secure path, it fails.

This affects commands run via sudo, but not shell instances started via sudo. If you start a full interactive shell, the shell reads the target user's .profile and other shell startup files as it initializes the environment. Secure paths help when running sudo like this:

$ sudo passwd mike

In this use case, secure_path makes sure that the passwd command being run is actually the system's passwd command and not an intruder's customized copy. It doesn't verify that the sudo command the user run is the proper one, however, so users still need to take care of their $PATH.

Adding Environment Variables

Sometimes you want to specifically set environment variables for a privileged user. Use the env_file option to give the full path to a file containing the new environment variables. One common situation is when you're behind a proxy server. You want users to always access the internet via your proxy? Add the environment variables to their environment.

Defaults env_file="/etc/sudoenv"

The environment file contains a standard list of variable assignments, like so.

FTP_PROXY=http://proxyhost:8080

ftp_proxy=http://proxyhost:8080

HTTP_PROXY=http:// proxyhost:8080

http_proxy=http:// proxyhost:8080

Sudo adds these environment variables before stripping out the environment, so list any added variables in an env_keep sudoers rule as well. This also means you override the user's own environment variables, so if a user has a different setting you've just replaced it.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.