author | Craig Mohrman <craig.mohrman@oracle.com> |
Thu, 04 Aug 2016 08:26:36 -0700 | |
changeset 6548 | 24913c16931e |
parent 5497 | 862a4276da0f |
child 7301 | 0853d00f0cd4 |
child 7409 | f574f35f5142 |
permissions | -rw-r--r-- |
1830
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
1 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
2 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
3 |
# Open second terminal with root shell. Keep this as a possibility to assume |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
4 |
# root privileges if you loose the ability to do so via sudo during testing. |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
5 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
6 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
7 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
8 |
# Make sure we are looking at the correct version |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
9 |
sudo -V | grep version |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
10 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
11 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
12 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
13 |
# Test digest feature |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
14 |
|
5497
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
15 |
# Make sure that the following line is commented out in /etc/sudoers: |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
16 |
# ALL ALL=(ALL) NOPASSWD: ALL |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
17 |
|
1830
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
18 |
openssl dgst -sha224 /usr/bin/ls # make note of the hash |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
19 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
20 |
# Add this line to sudoers (replace UID by your user ID and HASH by the ls |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
21 |
# hash): |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
22 |
<UID> ALL = sha224:<HASH> /usr/bin/ls |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
23 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
24 |
# This should work (asking you a password first) |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
25 |
sudo /usr/bin/ls / |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
26 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
27 |
# Now change the hash so that it is wrong and make sure it does not work this |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
28 |
# time |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
29 |
sudo /usr/bin/ls / |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
30 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
31 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
32 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
33 |
# add this line to sudoers |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
34 |
ALL ALL=(ALL:ALL) NOPASSWD: ALL |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
35 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
36 |
# Make sure it gives you root account |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
37 |
sudo id |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
38 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
39 |
# Make sure this changes just your group |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
40 |
sudo -g sol_src id |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
41 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
42 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
43 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
44 |
# Test creating a file in etc |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
45 |
sudoedit /etc/test |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
46 |
... |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
47 |
cat /etc/test # Make sure the text is there |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
48 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
49 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
50 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
51 |
# Auditing |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
52 |
cd /var/audit |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
53 |
sudo /usr/sbin/audit -t |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
54 |
sudo rm * |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
55 |
sudo /usr/sbin/audit -s |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
56 |
sudo auditreduce * | praudit -s |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
57 |
> file,1970-01-01 00:00:00.000 +00:00, |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
58 |
> file,2014-03-27 10:34:23.000 +00:00, |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
59 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
60 |
# Make sure that since the first run we can see new auditing record |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
61 |
sudo auditreduce * | praudit -s |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
62 |
> file,2014-03-27 10:34:23.000 +00:00, |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
63 |
> header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
64 |
> subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
65 |
> path,/var/share/audit |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
66 |
> path,/usr/sbin/auditreduce |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
67 |
> cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0, |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
68 |
> return,success,0 |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
69 |
> file,2014-03-27 10:34:23.000 +00:00, |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
70 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
71 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
72 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
73 |
# PAM credentials |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
74 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
75 |
# Make sure that 'root' is a role |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
76 |
sudo usermod -K type=role root |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
77 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
78 |
# Note the preselection mask, it should probably be 'lo(0x1000,0x1000)' |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
79 |
sudo bash -c 'auditconfig -getpinfo $$' |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
80 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
81 |
# Add audit flags to root |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
82 |
sudo rolemod -K audit_flags=lo,ex:no root |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
83 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
84 |
# Make sure that the preselection mask now shows new entries (lo,ex) |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
85 |
sudo bash -c 'auditconfig -getpinfo $$' |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
86 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
87 |
# Disable PAM credentials in sudo by adding this line to sudoers: |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
88 |
Defaults !pam_setcred |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
89 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
90 |
# Make sure that the preselection mask now shows only previous entry |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
91 |
sudo bash -c 'auditconfig -getpinfo $$' |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
92 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
93 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
94 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
95 |
# Solaris privileges |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
96 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
97 |
# Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
98 |
<UID> ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
99 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
100 |
# Just your regular id |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
101 |
id |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
102 |
> uid=157888(vmarek) gid=10(staff) |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
103 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
104 |
# Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
105 |
sudo id |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
106 |
> uid=0(root) gid=0(root) |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
107 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
108 |
# For bash it should leave your ID and just grant dtrace privileges |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
109 |
sudo bash -c 'id; ppriv $$' |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
110 |
uid=157888(vmarek) gid=10(staff) |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
111 |
> 2296: bash -c id; ppriv $$ |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
112 |
> flags = <none> |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
113 |
> E: basic,dtrace_kernel,dtrace_proc,dtrace_user |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
114 |
> I: basic,dtrace_kernel,dtrace_proc,dtrace_user |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
115 |
> P: basic,dtrace_kernel,dtrace_proc,dtrace_user |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
116 |
> L: basic,dtrace_kernel,dtrace_proc,dtrace_user |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
117 |
|
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
118 |
# dtrace functionality |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
119 |
sudo dtrace -l -n 'syscall::b*:entry' |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
120 |
> ID PROVIDER MODULE FUNCTION NAME |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
121 |
> 11282 syscall brk entry |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
122 |
> 11550 syscall brandsys entry |
93243cb310c5
17890284 Update to sudo version 1.8.9p5
Vladimir Marek <Vladimir.Marek@oracle.com>
parents:
diff
changeset
|
123 |
> 11642 syscall bind entry |
5497
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
124 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
125 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
126 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
127 |
# Test noexec |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
128 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
129 |
# Verify the following works |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
130 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
131 |
$ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"' |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
132 |
before |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
133 |
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),6(mail),7(tty),8(lp),12(daemon) |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
134 |
after |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
135 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
136 |
# Add the following to sudoers |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
137 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
138 |
ALL ALL = NOPASSWD: NOEXEC: /usr/perl5/5.12/bin/perl |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
139 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
140 |
# Now Perl should be prevent to run further commands, so the output is |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
141 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
142 |
$ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"' |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
143 |
before |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
144 |
after |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
145 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
146 |
# Perl itself works as expected |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
147 |
|
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
148 |
$ /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"' |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
149 |
before |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
150 |
uid=101(rimmer) gid=10(staff) groups=10(staff) |
862a4276da0f
22663737 Upgrade sudo to version 1.8.15
Lukas Rovensky <Lukas.Rovensky@oracle.com>
parents:
1830
diff
changeset
|
151 |
after |