Is it insecure to make Perl's prove command NOPASSWD in sudoers file?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I've got a Perl test script, initiated with prove
, that tests a backup script that requires root privileges so rsync can change the permissions on the files it downloaded from a remote server.
So I've got the following in my Mac's sudoers file:
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD:/path/to/prove
It works. But my question is, since prove
can be used to run pretty much any perl script written by the local user, is this a huge security risk?
security sudo perl
add a comment |Â
up vote
0
down vote
favorite
I've got a Perl test script, initiated with prove
, that tests a backup script that requires root privileges so rsync can change the permissions on the files it downloaded from a remote server.
So I've got the following in my Mac's sudoers file:
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD:/path/to/prove
It works. But my question is, since prove
can be used to run pretty much any perl script written by the local user, is this a huge security risk?
security sudo perl
2
It' yes, because anyone can write a Perl script to run any command as root. Just don't do it.
â cuonglm
Jan 23 at 2:58
this is no different to allowing perl or awk or bash or any other script interpreter to be run as root....and, as they can run other programs, it's equivalent to allowing ANY program to be run as root with any args.
â cas
Jan 23 at 4:33
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I've got a Perl test script, initiated with prove
, that tests a backup script that requires root privileges so rsync can change the permissions on the files it downloaded from a remote server.
So I've got the following in my Mac's sudoers file:
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD:/path/to/prove
It works. But my question is, since prove
can be used to run pretty much any perl script written by the local user, is this a huge security risk?
security sudo perl
I've got a Perl test script, initiated with prove
, that tests a backup script that requires root privileges so rsync can change the permissions on the files it downloaded from a remote server.
So I've got the following in my Mac's sudoers file:
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
%admin ALL=(ALL) NOPASSWD:/path/to/prove
It works. But my question is, since prove
can be used to run pretty much any perl script written by the local user, is this a huge security risk?
security sudo perl
asked Jan 23 at 2:43
StevieD
1507
1507
2
It' yes, because anyone can write a Perl script to run any command as root. Just don't do it.
â cuonglm
Jan 23 at 2:58
this is no different to allowing perl or awk or bash or any other script interpreter to be run as root....and, as they can run other programs, it's equivalent to allowing ANY program to be run as root with any args.
â cas
Jan 23 at 4:33
add a comment |Â
2
It' yes, because anyone can write a Perl script to run any command as root. Just don't do it.
â cuonglm
Jan 23 at 2:58
this is no different to allowing perl or awk or bash or any other script interpreter to be run as root....and, as they can run other programs, it's equivalent to allowing ANY program to be run as root with any args.
â cas
Jan 23 at 4:33
2
2
It' yes, because anyone can write a Perl script to run any command as root. Just don't do it.
â cuonglm
Jan 23 at 2:58
It' yes, because anyone can write a Perl script to run any command as root. Just don't do it.
â cuonglm
Jan 23 at 2:58
this is no different to allowing perl or awk or bash or any other script interpreter to be run as root....and, as they can run other programs, it's equivalent to allowing ANY program to be run as root with any args.
â cas
Jan 23 at 4:33
this is no different to allowing perl or awk or bash or any other script interpreter to be run as root....and, as they can run other programs, it's equivalent to allowing ANY program to be run as root with any args.
â cas
Jan 23 at 4:33
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
accepted
Yes, that approach is insecure.
Write a specific wrapper that specifically runs your command which subsequently calls the prove
, secure it so that only root can modify it, and put it somewhere only root can reach. Then, add that wrapper to the sudoers
file.
Don't allow parameters in your script.
NB: Although, even that's open to abuse, if someone can modify either the first perl script, or the backup script. Have to ensure everything in the chain is modifiable only by root
.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
Yes, that approach is insecure.
Write a specific wrapper that specifically runs your command which subsequently calls the prove
, secure it so that only root can modify it, and put it somewhere only root can reach. Then, add that wrapper to the sudoers
file.
Don't allow parameters in your script.
NB: Although, even that's open to abuse, if someone can modify either the first perl script, or the backup script. Have to ensure everything in the chain is modifiable only by root
.
add a comment |Â
up vote
3
down vote
accepted
Yes, that approach is insecure.
Write a specific wrapper that specifically runs your command which subsequently calls the prove
, secure it so that only root can modify it, and put it somewhere only root can reach. Then, add that wrapper to the sudoers
file.
Don't allow parameters in your script.
NB: Although, even that's open to abuse, if someone can modify either the first perl script, or the backup script. Have to ensure everything in the chain is modifiable only by root
.
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
Yes, that approach is insecure.
Write a specific wrapper that specifically runs your command which subsequently calls the prove
, secure it so that only root can modify it, and put it somewhere only root can reach. Then, add that wrapper to the sudoers
file.
Don't allow parameters in your script.
NB: Although, even that's open to abuse, if someone can modify either the first perl script, or the backup script. Have to ensure everything in the chain is modifiable only by root
.
Yes, that approach is insecure.
Write a specific wrapper that specifically runs your command which subsequently calls the prove
, secure it so that only root can modify it, and put it somewhere only root can reach. Then, add that wrapper to the sudoers
file.
Don't allow parameters in your script.
NB: Although, even that's open to abuse, if someone can modify either the first perl script, or the backup script. Have to ensure everything in the chain is modifiable only by root
.
edited Jan 23 at 8:35
answered Jan 23 at 8:25
EightBitTony
15.5k34353
15.5k34353
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f418990%2fis-it-insecure-to-make-perls-prove-command-nopasswd-in-sudoers-file%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
It' yes, because anyone can write a Perl script to run any command as root. Just don't do it.
â cuonglm
Jan 23 at 2:58
this is no different to allowing perl or awk or bash or any other script interpreter to be run as root....and, as they can run other programs, it's equivalent to allowing ANY program to be run as root with any args.
â cas
Jan 23 at 4:33