Hi, On 08/08/2013 12:35, martin f krafft wrote: > > [2] Instead of setting env_keep globally, I suggest to create > a Cmnd_Alias for the commands molly-guard protects, and then to use > this syntax: > > Defaults!MOLLY_GUARD_COMMANDS env_keep+=SSH_CONNECTION
hmm... finally, I'm not sure it is a so good idea: user@debian:~$ sudo cat /etc/sudoers.d/molly-guard # /etc/sudoers.d/molly-guard # [...] Cmnd_Alias MOLLY_GUARD_COMMANDS = /usr/sbin/halt, /sbin/halt, [...] Defaults!MOLLY_GUARD_COMMANDS env_keep += SSH_CONNECTION user@debian:~$ echo $SSH_CONNECTION (source_ip source_port dest_ip dest_port) user@debian:~$ sudo halt (molly-guard prompts for the hostname) user@debian:~$ sudo -s root@debian:/home/user# echo $SSH_CONNECTION root@debian:/home/user# halt (unguarded; end of story) In this example, I invoke directly a root shell; but the same happens if I invoke another command that provides a shell, either directly (screen or tmux), or by escaping to a shell or running a shell command (vim, emacs, mc...) So I would prefer: Defaults env_keep+=SSH_CONNECTION Otherwise, the usecases for which shutdown commands are protected are too specific and then these restricted sudoers settings provide no real benefit. There are some other pros: - I don't think the export of SSH_CONNEXION into sudo environment is able to introduce a security issue; it is even not a pathname. - Knowing that a lot of users use 'sudo -E' when they need to use such or such variable into sudo environment, provide some useful variable in the env_keep whitelist can refrain them to use the (unsecure) -E option. - SSH_CONNECTION is exported in 'su', why not to export it in 'sudo' ? Cheers, quidame
signature.asc
Description: OpenPGP digital signature
