[Pkg-zenoss-team] [Zenoss] #1446: Use of sudo introduces
unnecessary security risk
Zenoss
trac at zenoss.org
Thu May 10 13:34:51 UTC 2007
#1446: Use of sudo introduces unnecessary security risk
----------------------+-----------------------------------------------------
Reporter: zenoss | Owner: edahl
Type: defect | Status: new
Priority: blocker | Milestone: zenoss-2.0
Component: All | Version: 1.8.2
Keywords: security |
----------------------+-----------------------------------------------------
Dear developers,
your're requiring your users to add the following statements to
/etc/sudoers:
{{{
echo PYTHONPATH and ZENHOME need to be added to the env_keep list
in /etc/suders
echo The following works as the content of /etc/sudoers on most
Linux platforms:
echo "#---------------------------------------------"
echo 'Defaults env_reset'
echo "Defaults env_keep = \"PYTHONPATH ZENHOME\""
echo "$USERNAME ALL=(ALL) NOPASSWD: $PYTHON,/usr/bin/kill"
}}}
In our opinion this introduces a intolerable security risk which we're
neither willing to introduce to Debian, nor would be allowed to do so.
By giving the zenoss user sudo rights on the python interpreter, you're
giving it in fact full root access to the box runnign Zenoss, as the
python interpreter is capable to execute arbitrary commands. A malicious
attacker (remember, often they're within a company!) could use a hole in
any daemon running with the id of the zenoss user to execute his own
scripts to gain root priviledges on the system. Being able to use the
zenoss user account in fact means being root on the machine.
There're at least two ways to solve this:
* use a (py) daemon, which runs with root priviledges and listenes on a
unix socket, which is only writeable by the zenoss user. The user uses a
client to talk to the daemon and send commands to execute to it.
* write a wrapper in c/c++ to execute commands, and give it a setuid
bit.
In any way to solve the problem, you must NOT reuse the environment of the
user, at least not $PATH. A new environment should be constructed and the
program executed with it. Programs the daemon/wrapper/... is allowed to
execute MUST be specified as accurate as possible.
We'd be willing to help you on solving this problem, as this is mandatory
for getting Zenoss into Debian.
Best regards,
Bernd Zeimetz[[BR]]
for the Debian Zeonoss packaging team
--
Ticket URL: <http://dev.zenoss.org/trac/ticket/1446>
Zenoss <http://example.com/>
Zenoss Monitoring System
More information about the Pkg-zenoss-team
mailing list