equal
deleted
inserted
replaced
9 sudo -V | grep version |
9 sudo -V | grep version |
10 |
10 |
11 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
11 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
12 |
12 |
13 # Test digest feature |
13 # Test digest feature |
|
14 |
|
15 # Make sure that the following line is commented out in /etc/sudoers: |
|
16 # ALL ALL=(ALL) NOPASSWD: ALL |
14 |
17 |
15 openssl dgst -sha224 /usr/bin/ls # make note of the hash |
18 openssl dgst -sha224 /usr/bin/ls # make note of the hash |
16 |
19 |
17 # Add this line to sudoers (replace UID by your user ID and HASH by the ls |
20 # Add this line to sudoers (replace UID by your user ID and HASH by the ls |
18 # hash): |
21 # hash): |
116 sudo dtrace -l -n 'syscall::b*:entry' |
119 sudo dtrace -l -n 'syscall::b*:entry' |
117 > ID PROVIDER MODULE FUNCTION NAME |
120 > ID PROVIDER MODULE FUNCTION NAME |
118 > 11282 syscall brk entry |
121 > 11282 syscall brk entry |
119 > 11550 syscall brandsys entry |
122 > 11550 syscall brandsys entry |
120 > 11642 syscall bind entry |
123 > 11642 syscall bind entry |
|
124 |
|
125 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
|
126 |
|
127 # Test noexec |
|
128 |
|
129 # Verify the following works |
|
130 |
|
131 $ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"' |
|
132 before |
|
133 uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),6(mail),7(tty),8(lp),12(daemon) |
|
134 after |
|
135 |
|
136 # Add the following to sudoers |
|
137 |
|
138 ALL ALL = NOPASSWD: NOEXEC: /usr/perl5/5.12/bin/perl |
|
139 |
|
140 # Now Perl should be prevent to run further commands, so the output is |
|
141 |
|
142 $ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"' |
|
143 before |
|
144 after |
|
145 |
|
146 # Perl itself works as expected |
|
147 |
|
148 $ /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"' |
|
149 before |
|
150 uid=101(rimmer) gid=10(staff) groups=10(staff) |
|
151 after |