sudo: restrict PATH to protect against privilege escalation attacks

Protect from simple privilege escalation attacks on scripts that are granted privileged execution for unprivileged users by restricting the PATH to a static set. Without doing so, it is a trivial attack to provide a binary used by a privileged script that executes former without an absolute path to escalate privileges by gaining code execution through that binary. Anything run with elevated privileges through sudo shall never ever have the possibility to pass on the unsanatized PATH from an unprivileged user. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

sudo: restrict PATH to protect against privilege escalation attacks
Protect from simple privilege escalation attacks on scripts that are granted privileged execution for unprivileged users by restricting the PATH to a static set. Without doing so, it is a trivial attack to provide a binary used by a privileged script that executes former without an absolute path to escalate privileges by gaining code execution through that binary. Anything run with elevated privileges through sudo shall never ever have the possibility to pass on the unsanatized PATH from an unprivileged user. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
1eb1dd41 · Levente Polyak · Jelle van der Waa · 8fa81d4c · 1eb1dd41
Commit 1eb1dd41 authored Sep 03, 2019 by Levente Polyak 🚀 Committed by Jelle van der Waa Sep 03, 2019
--- a/roles/sudo/tasks/main.yml
+++ b/roles/sudo/tasks/main.yml
@@ -20,3 +20,12 @@
    insertafter: '^# %wheel ALL=\(ALL\) ALL'
    line: '%wheel ALL=(ALL) ALL'
    validate: 'visudo -cf %s'
+
+- name: secure path to protect against attacks
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
+    insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
+    line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
+    validate: 'visudo -cf %s'