Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/sudo/TESTING
author Jan Parcel <jan.parcel@oracle.com>
Wed, 15 Mar 2017 15:37:18 -0700
branchs11u3-sru
changeset 7762 1bc3a3aa3178
parent 7409 f574f35f5142
permissions -rw-r--r--
25427193 sudo with LDAP and "use_sasl on" broken using LDAP_SASL_QUIET

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Open second terminal with root shell. Keep this as a possibility to assume
# root privileges if you loose the ability to do so via sudo during testing.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Make sure we are looking at the correct version
sudo -V | grep version

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Test digest feature

# Make sure that the following line is commented out in /etc/sudoers:
# ALL    ALL=(ALL) NOPASSWD: ALL

openssl dgst -sha224 /usr/bin/ls # make note of the hash

# Add this line to sudoers (replace LOGIN by your user login name and
# HASH by the ls hash):
<LOGIN> ALL = sha224:<HASH> /usr/bin/ls

# This should work (asking you a password first)
sudo /usr/bin/ls /

# Now change the hash so that it is wrong and make sure it does not work this
# time
sudo /usr/bin/ls /

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# add this line to sudoers
ALL ALL=(ALL:ALL) NOPASSWD: ALL

# Make sure it gives you root account
sudo id

# Make sure this changes just your group
sudo -g sol_src id

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Test creating a file in etc
sudoedit /etc/test
...
cat /etc/test # Make sure the text is there

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Auditing
cd /var/audit
sudo /usr/sbin/audit -t
sudo rm *
sudo /usr/sbin/audit -s
sudo auditreduce * | praudit -s
  file,1970-01-01 00:00:00.000 +00:00,
  file,2014-03-27 10:34:23.000 +00:00,

# Make sure that since the first run we can see new auditing record
sudo auditreduce * | praudit -s
  file,2014-03-27 10:34:23.000 +00:00,
  header,158,2,AUE_sudo,,10.0.2.15,2014-03-27 10:34:23.735 +00:00
  subject,vmarek,root,staff,vmarek,staff,2295,3108723863,5096 202240 10.0.2.2
  path,/var/share/audit
  path,/usr/sbin/auditreduce
  cmd,argcnt,1,20140327103420.not_terminated.S12-43,envcnt,0,
  return,success,0
  file,2014-03-27 10:34:23.000 +00:00,

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# PAM credentials

# Make sure that 'root' is a role
sudo usermod -K type=role root

# Note the preselection mask, it should probably be 'lo(0x1000,0x1000)'
sudo bash -c 'auditconfig -getpinfo $$'

# Add audit flags to root
sudo rolemod -K audit_flags=lo,ex:no root

# Make sure that the preselection mask now shows new entries (lo,ex)
sudo bash -c 'auditconfig -getpinfo $$'

# Disable PAM credentials in sudo by adding this line to sudoers:
Defaults !pam_setcred

# Make sure that the preselection mask now shows only previous entry
sudo bash -c 'auditconfig -getpinfo $$'

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Solaris privileges

# Add this to the end sudoers keeping the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' above
<LOGIN> ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash

# Just your regular id
id
  uid=157888(vmarek) gid=10(staff)

# Sudo normally turning you into root via the 'ALL ALL=(ALL:ALL) NOPASSWD: ALL' line
sudo id
  uid=0(root) gid=0(root)

# For bash it should leave your ID and just grant dtrace privileges
sudo bash -c 'id; ppriv $$'
uid=157888(vmarek) gid=10(staff)
  2296:   bash -c id; ppriv $$
  flags = <none>
          E: basic,dtrace_kernel,dtrace_proc,dtrace_user
          I: basic,dtrace_kernel,dtrace_proc,dtrace_user
          P: basic,dtrace_kernel,dtrace_proc,dtrace_user
          L: basic,dtrace_kernel,dtrace_proc,dtrace_user

# dtrace functionality
sudo dtrace -l -n 'syscall::b*:entry'
     ID   PROVIDER            MODULE                          FUNCTION NAME
  11282    syscall                                                 brk entry
  11550    syscall                                            brandsys entry
  11642    syscall                                                bind entry

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Test noexec

# Verify the following works

$ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
before
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),6(mail),7(tty),8(lp),12(daemon)
after

# Add the following to sudoers

ALL     ALL = NOPASSWD: NOEXEC: /usr/perl5/5.12/bin/perl

# Now Perl should be prevent to run further commands, so the output is

$ sudo /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
before
after

# Perl itself works as expected

$ /usr/perl5/5.12/bin/perl -e 'print "before\n"; system("id -a"); print "after\n"'
before
uid=101(rimmer) gid=10(staff) groups=10(staff)
after

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

# Verify that "Last login..." message does not appear

$ sudo /bin/date
Thu Nov 10 08:24:57 UTC 2016
upstream/oracle/userland-gate