[Pkg-zenoss-team] [Zenoss] #1446: Use of sudo introduces unnecessary security risk

Zenoss trac at zenoss.org
Thu May 10 13:34:51 UTC 2007 

#1446: Use of sudo introduces unnecessary security risk
----------------------+-----------------------------------------------------
 Reporter:  zenoss    |       Owner:  edahl     
     Type:  defect    |      Status:  new       
 Priority:  blocker   |   Milestone:  zenoss-2.0
Component:  All       |     Version:  1.8.2     
 Keywords:  security  |  
----------------------+-----------------------------------------------------
 Dear developers,

 your're requiring your users to add the following statements to
 /etc/sudoers:


 {{{
         echo PYTHONPATH and ZENHOME need to be added to the env_keep list
 in /etc/suders
         echo The following works as the content of /etc/sudoers on most
 Linux platforms:

         echo "#---------------------------------------------"
         echo 'Defaults    env_reset'
         echo "Defaults    env_keep = \"PYTHONPATH ZENHOME\""
         echo "$USERNAME ALL=(ALL) NOPASSWD: $PYTHON,/usr/bin/kill"

 }}}

 In our opinion this introduces a intolerable security risk which we're
 neither willing to introduce to Debian, nor would be allowed to do so.

 By giving the zenoss user sudo rights on the python interpreter, you're
 giving it in fact full root access to the box runnign Zenoss, as the
 python interpreter is capable to execute arbitrary commands. A malicious
 attacker (remember, often they're within a company!) could use a hole in
 any daemon running with the id of the zenoss user to execute his own
 scripts to gain root priviledges on the system. Being able to use the
 zenoss user account in fact means being root on the machine.

 There're at least two ways to solve this:
   * use a (py) daemon, which runs with root priviledges and listenes on a
 unix socket, which is only writeable by the zenoss user. The user uses a
 client to talk to the daemon and send commands to execute to it.
   * write a wrapper in c/c++ to execute commands, and give it a setuid
 bit.

 In any way to solve the problem, you must NOT reuse the environment of the
 user, at least not $PATH. A new environment should be constructed and the
 program executed with it. Programs the daemon/wrapper/... is allowed to
 execute MUST be specified as accurate as possible.


 We'd be willing to help you on solving this problem, as this is mandatory
 for getting Zenoss into Debian.


 Best regards,


 Bernd Zeimetz[[BR]]
 for the Debian Zeonoss packaging team

-- 
Ticket URL: <http://dev.zenoss.org/trac/ticket/1446>
Zenoss <http://example.com/>
Zenoss Monitoring System

More information about the Pkg-zenoss-team mailing list