security & suid/sudo plugins

[Alexander Harvey]

Hi All,

I'm using the same version of sudo on my Solaris systems. And by 'valid' I
didn't mean merely listed in /etc/shell; I meant a real shell like bash.
However, I'm afraid I can't reproduce the problem at the moment, but I can
say that I resorted to giving the nagios user a real shell only when I
realised I needed to run a shell-script plugin as the root user. Someone
explained to me: "It would be a security flaw for sudo to allow anything to
run for a user who is not otherwise entitled to a real shell." I make no
comment on the reasoning--consider it hearsay--but sure enough, it was the
only way I could get my plugin to work. If I get a chance to reproduce the
problem, I'll see what I can dig out about it.

Alex

On 9/4/06, Hari Sekhon <hpsekhon at googlemail.com> wrote:
>
>  Thomas Sluyter wrote:
>
> On 4 Sep, 2006, at 12:09, Hari Sekhon wrote:
>
>    Alexander Harvey wrote:
>
>  Note to Hari: my understanding is that sudo won't work for account
> that doesn't have a valid shell. Certainly all my testing led me to
> that conclusion.
>
>  So it would seem that this is not correct. A valid shell is not
> required.
>
>  Actually, to nitpick a little :)
>
> I'd think it's entirely possible that sudo requires a valid shell,
> just like FTP and such. But in that case "valid" would mean "listed
> in /etc/shells" and not "working like a normal shell"... I'd have to
> check the man-page to be sure though..
>
> Cheers!
>
>
>
> /bin/false isn't listed as a valid shell on my nagios box and this still
> works. hmm.
>
> Also, you could use sudo -s /bin/bash check_command so that you get the
> shell for that one command. The man page says you can use this to override
> the system set shell.
>
> If you find anything written anywhere about this then let me know. It's
> entirely possible that different versions have different quirks, this is not
> unknown in unixland...
>
> fyi my sudo -V gives me the version as "Sudo version 1.6.8p9" (lots of
> extras output omitted)
>
>
> -h
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20060904/288b4108/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null