Sudo

Sudo on mybooks is preety fukd up… :

www-data ALL=(root) NOPASSWD : /usr/bin/install,\>
/usr/bin/diff,\
/usr/www/nbin/mdadm.sh,\
/usr/www/nbin/ethtool.sh,\
/usr/www/nbin/chmod.sh,\
/usr/www/nbin/chown.sh,\
/usr/www/nbin/chgrp.sh,\
/usr/www/nbin/touch.sh,\
/usr/www/nbin/mkdir.sh,\
/usr/www/nbin/fdisk.sh,\

yea make hmm.php / <? passthru("sudo rm -rf /"); ?>
o0
sztupid

do

  1. vi /etc/sudoers

www-data ALL=(root) NOPASSWD : /bin/ls,\
#/usr/bin/install,\
#/usr/bin/diff,\
/usr/www/nbin/mdadm.sh,\
/usr/www/nbin/ethtool.sh,\
#/usr/www/nbin/chmod.sh,\
#/usr/www/nbin/chown.sh,\
#/usr/www/nbin/chgrp.sh,\
/usr/www/nbin/touch.sh,\
/usr/www/nbin/mkdir.sh,\
#/usr/www/nbin/fdisk.sh,\

or sumtin


Note: The above changes, while useful from a security perspective, will break things in the web interface, as well as cause problems with accessing Samba shares.

www-data is the user associated with the http management interface. Many of the things you do from there are implemented with perl or shell scripts. And many of the files you have to change are readable and/or writeable only by root; therefore, sudo is used to temporarily gain access (often via chmod/chown, which is interesting in itself) to these files. For some examples of this, do some grepping in /usr/www/* and /usr/www/*/*.

Example: /usr/www/lib/nasCommon.pm uses sudo to chmod 0644 /var/private/smbpasswd, so that you can create a new user from the http interface. Now, if you don't let www-data execute chmod via sudo, you will not be able to create new users, you will get an error:

"A serious error has occured: smbpasswd file not readable" or similar.

There are other files involved as well, and chmod'ing all of them permanently is probably at least as bad a security risk as the sudoers file in stock form. Moreover, it won't work: there is another mechanism that I haven't identified yet, that goes back and chmods /var/private/smbpasswd back to 0600 every so often. Not sure about the other files.

Also, even logging in via ssh and doing a temporary chmod is bad, unless you can identify all the files involved; you'll end up with your new users (or shares, or passwords, or whatever) being added to some files but not others, and you may even start getting errors like "drive is bad or has inconsistent filesystem") or some such.

So, if you administer your box only via command line, the above changes may work for you; but if you plan on using the web interface, you will definitely need to back them out first!!


Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License