camping travel destination outdoor private jets golf city travel hotels budget travel cruising travel

Monday, October 29, 2012

Prevent Users From Becoming root

As a Linux engineer I cringe when I see regular users at a root prompt. We've been trying to sort out the necessary sudo lockdowns to prevent it. We now have a fairly comprehensive configuration preventing various means of elevating one's privileges permanently. By no means is this complete and infallible. As my friend Shawn Butts pointed out: shell = root.

My hope is that by eliminating the obvious means, a user will have to endeavor to find a way to gain the root account. In doing so they will have exhibited a willful intent to bypass the security lockdowns.

Add the following line to the /etc/sudoers file (you don't have to call it "Custom"):

## Custom
Cmnd_Alias BANNED = /usr/bin/visudo, /*/bin/* /etc/sudoers, /bin/*sh, /*/bin/* /etc/shadow, /*/bin/* /etc/passwd, /*/bin/* /etc/group, /bin/su *root*, /usr/bin/passwd *root*, /usr/sbin/usermod, /usr/sbin/groupmod

## Custom
Cmnd_Alias BANNED = /bin/*sh, /bin/su *root*, /usr/bin/passwd *root*, /usr/sbin/visudo, /usr/sbin/usermod, /usr/sbin/groupmod, /bin/* [!""]* /etc/sudoers, /usr/bin/* [!""]* /etc/sudoers, /bin/* [!""]* /etc/passwd, /usr/bin/* [!""]* /etc/passwd, /bin/* [!""]* /etc/shadow, /usr/bin/* [!""]* /etc/shadow, /bin/* [!""]* /etc/group, /usr/bin/* [!""]* /etc/group, /bin/ln /bin/*sh, /bin/ln /bin/vi [!""]*, /bin/ln /usr/bin/vim [!""]*, /bin/ln /bin/sed [!""]*, /bin/ln /bin/awk [!""]*

This will prevent:
  • Editing the sudoers file (/usr/bin/visudo, /*/bin/* /etc/sudoers) and granting themselves more permissions than they should have*
  • Opening a root shell (/bin*sh)
  • Editing the shadow file (/*/bin/* /etc/shadow) and removing the root password*
  • Editing the passwd file (/*/bin/* /etc/passwd) and changing their primary group*
  • Modifying the group they belong to (/*/bin/* /etc/group) preventing them from directly adding themselves to the root group*
  • Switching to the root user (/bin/su *root*)
  • Changing the root password (/usr/bin/passwd *root*)
  • Running usermod and adding themselves to the root group (/usr/sbin/usermod)
  • Running groupmod and changing the GID of their primary group (/usr/sbin/groupmod; not actually necessary as groupmod won't allow changing a GID to one which already exists, but thrown in for good measure)
UPDATE:
  • Added the prevention of the creation of hard links (/bin/ln <command> [!""]*)
    • This requires changing the permissions of /bin/ln so that only root can execute it which will force sudo. 
    • This has the potential of causing issues later when applications are installed and the installer needs to create links (hard or symbolic). We are willing to take on that headache when it comes.
  • Added the prevention of executing other commands with options against interesting files (/bin/* [!""]* <file>).
    • in both the /bin/ln and this rule, the bang (!) is negated by the !BANNED option on the group permissions line.
    • Example:
      • user runs sudo /bin/sed -i '/BANNED/ s/^/#/' /etc/sudoers
      • The rule states that /bin/sed cannot be run with only a space. Therefore, options are required (in this case, the -i fulfills the requirement).
      • The !BANNED option says not [!""]* which essentially means you cannot not have only a space (a space is mandatory).
      • Following me there? I'm confused myself. I just know it works.
Yes, the rule is getting longer. Figuring it out is fun, though, and in the process we're locking our systems down further.

UPDATE 2:
I'm aware that this solution isn't 100%. Knowing that, the goal has shifted from completely preventing root access to implementing as many controls as possible to prevent it. This allows us to assume that if a person continues to circumvent the policies in place he has no respect for the policy or our intent. With this in mind we have a broader avenue to consider the user hostile and implement further controls on him directly.
* This will actually prevent opening the files with any application, not just an editor. I've also verified that it will prevent running symlinks to other applications (eg. sudo ~/notvim /etc/sudoers). What it doesn't do is prevent the use of hard links.

With that line in place, configure your restricted group/user like so:

%custadmins    ALL=(ALL) ALL, /bin/su [!-]*, !BANNED

Where custadmins is replaced with whichever user/group you are restricting.

This will allow users in the custadmins group to execute any command except the commands listed above in the BANNED list. Additionally, it will allow them to su to any user (except root as per the BANNED list) in order to do work as that user (eg. Switching to the oracle user to work on the Oracle database). However, it will not allow passing the - (hyphen) option to su (/bin/su [!-]*). The purpose of that is to not place a user in the environment of another user which is not restricted in the way the custadmins group is.

Example:
  • User A runs sudo su - oracle and becomes the oracle user with the associated login environment (including sudo permissions)
  • User A (as oracle) then runs sudo su - and becomes root
By not allowing the hyphen:
  • User A runs sudo su - oracle and is denied permission based on the [!-]* modifier in the /etc/sudoers file
  • User A then runs sudo su oracle (without the hyphen) and becomes oracle, but still retains User A’s login environment (including sudo permissions)
  • User A (as oracle) then runs sudo su - and is denied permission
Finally, the !BANNED entry disallows anything in the BANNED list from being run.

As previously stated, this is not complete. If you have suggestions to further enhance this please post them in the comments.