[Freeipa-users] Re: prevent 'sudo -i ' from executing

2023-09-21 Thread Sam Morris via FreeIPA-users 

On 21/09/2023 18:30, Ulf Volmer via FreeIPA-users wrote:

On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:


HBAC can do this better.
HBAC controls who is allowed to use PAM services. sudo-i is a PAM
service. It is allowed now, I'm assuming, because you have the HBAC
allow_all rule enabled.

If you disable or delete it then nobody will do anything so be careful.
Everything, including ssh, is denied by default without this rule.


So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent 
him from escaping and start a shell?


No, HBAC controls whether a user can use the 'sudo' and/or 'sudo-i' PAM 
services.


If a user can use the 'sudo' PAM service then they are able to launch 
sudo with a command line of their choice. sudo rules then determine 
whether sudo will accept or reject that command line.


If the sudo rules let the user run 'vim' then it's game over. Same 
applies for most other programs unless proven safe!


The sudo-users mailing list 
 is probably a good 
place to ask for help with writing sudo rules.


One tool you have is the 'sudoedit' command. This lets you allow a user 
to edit files without running their editor as root.


However you still have to think very carefully about which files they're 
able to edit!


For instance, if you let them edit /etc/fstab then they can create a 
filesystem image containing a setuid executable, and then allow 
themselves to mount it by adding an fstab entry with the 'user' option...


--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: prevent 'sudo -i ' from executing

2023-09-21 Thread Ulf Volmer via FreeIPA-users 

On 21.09.23 20:14, Rob Crittenden via FreeIPA-users wrote:

Ulf Volmer via FreeIPA-users wrote:

So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent
him from escaping and start a shell?

That's great! I should try to look into it.

Not really. If you allow sudo to be executed then you're back to the
same issues. What the original poster ask for was a way to not allow
users to run sudo-i. That is possible with HBAC.



In this case maybe the OP ask the wrong question.

I assumed, he don't want to disallow only 'sudo -i', I thought he want 
to disable all shell access, so 'sudo bash' and so on. But maybe I was 
wrong.



Best regards

Ulf

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: prevent 'sudo -i ' from executing

2023-09-21 Thread Rob Crittenden via FreeIPA-users 
Ulf Volmer via FreeIPA-users wrote:
> On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
> 
>> HBAC can do this better.
>> HBAC controls who is allowed to use PAM services. sudo-i is a PAM
>> service. It is allowed now, I'm assuming, because you have the HBAC
>> allow_all rule enabled.
>>
>> If you disable or delete it then nobody will do anything so be careful.
>> Everything, including ssh, is denied by default without this rule.
> 
> 
> So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent
> him from escaping and start a shell?
> 
> That's great! I should try to look into it.

Not really. If you allow sudo to be executed then you're back to the
same issues. What the original poster ask for was a way to not allow
users to run sudo-i. That is possible with HBAC.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: prevent 'sudo -i ' from executing

2023-09-21 Thread Ulf Volmer via FreeIPA-users 

On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:


HBAC can do this better.
HBAC controls who is allowed to use PAM services. sudo-i is a PAM
service. It is allowed now, I'm assuming, because you have the HBAC
allow_all rule enabled.

If you disable or delete it then nobody will do anything so be careful.
Everything, including ssh, is denied by default without this rule.



So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent 
him from escaping and start a shell?


That's great! I should try to look into it.


Best regards

Ulf

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: prevent 'sudo -i ' from executing

2023-09-21 Thread Rob Crittenden via FreeIPA-users 
Ulf Volmer via FreeIPA-users wrote:
> On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote:
> 
>> I don't want my users to become root with simply executing the 'sudo
>> -i' command so they can execute all root commands. Users should only
>> execute with sudo the allowed defined commands.
>> I'm able to prevent them from executing 'sudo su -', but I didn't find
>> any informations about forbidding 'sudo -i'.
> 
> There is not good solution for.
> 
> You can try something like
> 
> username ALL=(ALL)  ALL, !/usr/bin/bash, !/usr/bin/vi
> 
> But you have to specify all dangerous command like vi, strace and so on.
> So please avoid this. To be safe, you have to define a whitelist of
> commands. Or to trust your users.

HBAC can do this better.

HBAC controls who is allowed to use PAM services. sudo-i is a PAM
service. It is allowed now, I'm assuming, because you have the HBAC
allow_all rule enabled.

If you disable or delete it then nobody will do anything so be careful.
Everything, including ssh, is denied by default without this rule.

So you'll need to create rules to allow the services you want, for the
users/groups you want, on the hosts you want. There is also a rule-level
glob for all users/groups and all hosts/hostgroups. So it can be as
fine-grained as you'd like.

You have to be very careful with sudo because users can be very crafty.
If they can call cp, ln or mv with sudo then they can create their own
/usr/bin/rcritsh which could allow them to do what they want because it
isn't in the prohibited. chmod can also be used in unexpected ways. The
sudoers man page has a lot to say about ! under SECURITY NOTES.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: prevent 'sudo -i ' from executing

2023-09-21 Thread Christian Heimes via FreeIPA-users 

On 21/09/2023 18.21, Nathanaël Blanchet via FreeIPA-users wrote:

Hello,

I don't want my users to become root with simply executing the 'sudo
-i' command so they can execute all root commands. Users should only
execute with sudo the allowed defined commands.
I'm able to prevent them from executing 'sudo su -', but I didn't find
any informations about forbidding 'sudo -i'.


You can limit which commands a user can execute, the hosts, and target 
user/group with sudo rules and HBAC rules:


- https://freeipa.readthedocs.io/en/latest/workshop/8-sudorule.html
- 
https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/granting-sudo-access-to-an-idm-user-on-an-idm-client_configuring-and-managing-idm


The restrictions also allow you to block sudo -i and su -i either with a 
custom HBAC rule (you need to disable the default allowed_all rule) or 
with additional allow/deny commands for your sudo rule. "sudo -i" is 
just an alias for "run user's default shell as login shell". You could 
block all login shells. If you want a more secure rule, then only allow 
a well-defined list of commands and arguments.


Example:

$ sudo -i
Sorry, user testuser is not allowed to execute '/bin/bash' as root on 
client.ipa.example.


$ sudo -l
Matching Defaults entries for testuser on client:
!visiblepw, always_set_home, match_group_by_gid, 
always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME 
HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", 
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", 
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",

secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User testuser may run the following commands on client:
(ALL : ALL) NOPASSWD: !/usr/bin/zsh, !/usr/bin/sudo, !/usr/bin/su, 
!/usr/bin/sh, !/usr/bin/ksh, !/usr/bin/bash


$ ipa sudorule-show example-sudo
  Rule name: example-sudo
  Enabled: True
  RunAs User category: all
  RunAs Group category: all
  Users: testuser
  Host Groups: example-hosts
  Sudo Deny Command Groups: shells_sudo
  Sudo Option: !authenticate

$ ipa sudocmdgroup-show shells_sudo
  Sudo Command Group: shells_sudo
  Member Sudo commands: /usr/bin/bash, /usr/bin/ksh, /usr/bin/sh, 
/usr/bin/su, /usr/bin/sudo, /usr/bin/zsh



--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security

Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael 
O'Neill

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: prevent 'sudo -i ' from executing

2023-09-21 Thread Ulf Volmer via FreeIPA-users 

On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote:


I don't want my users to become root with simply executing the 'sudo
-i' command so they can execute all root commands. Users should only
execute with sudo the allowed defined commands.
I'm able to prevent them from executing 'sudo su -', but I didn't find
any informations about forbidding 'sudo -i'.


There is not good solution for.

You can try something like

username ALL=(ALL)  ALL, !/usr/bin/bash, !/usr/bin/vi

But you have to specify all dangerous command like vi, strace and so on.
So please avoid this. To be safe, you have to define a whitelist of 
commands. Or to trust your users.


Best regards
Ulf
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue