Commit 1eb1dd41 authored by Levente Polyak's avatar Levente Polyak 🚀 Committed by Jelle van der Waa
Browse files

sudo: restrict PATH to protect against privilege escalation attacks



Protect from simple privilege escalation attacks on scripts that are
granted privileged execution for unprivileged users by restricting
the PATH to a static set.
Without doing so, it is a trivial attack to provide a binary used
by a privileged script that executes former without an absolute path
to escalate privileges by gaining code execution through that binary.

Anything run with elevated privileges through sudo shall never ever
have the possibility to pass on the unsanatized PATH from an
unprivileged user.
Signed-off-by: Levente Polyak's avatarLevente Polyak <anthraxx@archlinux.org>
parent 8fa81d4c
......@@ -20,3 +20,12 @@
insertafter: '^# %wheel ALL=\(ALL\) ALL'
line: '%wheel ALL=(ALL) ALL'
validate: 'visudo -cf %s'
- name: secure path to protect against attacks
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
validate: 'visudo -cf %s'
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment