[juneau-lug] Re: visudo

• From: Stephen <sbodnar@xxxxxxx>
• To: juneau-lug@xxxxxxxxxxxxx
• Date: Tue, 03 Feb 2004 10:27:03 -0900

>On Sun, 01 Feb 2004 11:10:11 -0900
>Jamie <jamie@xxxxxxxxxxxxxxxxx> wrote:
>
>>  James, thanks for the better answer, but could you explain that a
>>  little more?  How is a file (this file) being editted inscure?  It
>>  creates an insecure temprary copy in a public directory?  Or can a
>>  non-priviledged user gain access to another users memory?  Where
>>  does the risk come from?
>>
>>  Thanks,
>>  -Jamie
>>
>
>The risk comes from a savvy user knowing that root is editing or will
>edit /etc/sudoers, and hijacking the temp files used by common
>editors.  Apparently some editors use predictable temp file names, or
>else allow multiple simultaneous edits of the file.  Visudo makes sure
>that the file is properly locked and not being edited.  How to
>actually do any of these attacks is beyond my knowledge - I've never
>actually tried to do that to myself.  It is probably a worthwhile
>project, as I'm starting to write more scripts that use temporary
>files here and there.
>
>From the man page:
>
>        visudo edits the sudoers file in a safe fashion, analogous to
>vipw(8).
>        visudo locks the sudoers file against multiple simultaneous
>edits, pro-
>        vides basic sanity checks, and checks for parse errors.  If the
>sudoers
>        file is currently being edited you will receive a message to
>try again
>        later.
>
>Cheers,
>
>James

Back when I was a mere slip of a sysadmin lad (early 90's), some folks
from the Univ. of Maryland were helping us set up the network over in
Cordova. It was Sun Solaris 2.3 (SunOS 5.3)based. They brought over a
bunch of custom scripts for editting system files. These were a bit of
overkill for a 30 node network with about 50 users, but certainly
appropriate for a large university with thousands of users and abusers.

The scripts, if I remember correctly, mostly used !/bin/sh but called
up RCS so the file could only be editted by one session at a time. This
was to prevent corruption of live system files, but also prevented the
security problems mentioned above.

Stephen


------------------------------------
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the 
word unsubscribe in the subject header.

• Follow-Ups:
  • [juneau-lug] Re: visudo
    • From: James Zuelow

• References:
  • [juneau-lug] Re: visudo
    • From: James Zuelow
  • [juneau-lug] Re: visudo
    • From: Jamie
  • [juneau-lug] Re: visudo
    • From: James Zuelow

Other related posts:

• » [juneau-lug] visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo
• » [juneau-lug] Re: visudo

1. Home
2. juneau-lug
3. Archive
4. 02-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---