Mastering Linux Security and Hardening
上QQ阅读APP看书,第一时间看更新

Preventing users from using shell escapes

Certain programs, especially text editors and pagers, have a handy shell escape feature. This allows a user to run a shell command without having to exit the program first. For example, from the command mode of the Vi and Vim editors, someone could run the ls command by running :!ls. Executing the command would look like this:

# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
~
~
:!ls

The output would look like this:

[donnie@localhost default]$ sudo vim useradd
[sudo] password for donnie:
grub nss useradd
Press ENTER or type command to continue
grub nss useradd
Press ENTER or type command to continue

Now, imagine that you want Frank to be able to edit the sshd_config file and only that file. You might be tempted to add a line to your sudo configuration that would look like this:

frank ALL=(ALL) /bin/vim /etc/ssh/sshd_config

This looks like it would work, right? Well, it doesn't, because once Frank has opened the sshd_config file with his sudo privilege, he can then use Vim's shell escape feature to perform other root-level commands, which includes being able to edit other configuration files. You can fix this problem by having Frank use sudoedit instead of vim:

frank ALL=(ALL) sudoedit /etc/ssh/sshd_config

sudoedit has no shell escape feature, so you can safely allow Frank to use it. Other programs that have a shell escape feature include the following:

  • emacs
  • less
  • view
  • more