Last active
March 22, 2019 12:56
-
-
Save cyphunk/e6bea27b59eb43050a6a5f5e56450612 to your computer and use it in GitHub Desktop.
sudostrict alerts when target program or script can be edited by non-root user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This wrapper alerts user when target is non-root editable. | |
| # | |
| # sudo is most often used to run command or script with root privileges. | |
| # IF target program or script being run is editable by non-root | |
| # THEN a privilege escilation attack is exposed. | |
| # e.g. an attacker that has gained access to users enviornment could then | |
| # use a non-root editable program/script to elivate to root. | |
| # | |
| # IMPORTANT: be certain where this code is stored and loaded is only | |
| # editable by root user. | |
| # | |
| function sudostrict () { | |
| while getopts hHvVkKAnbEPsSilg:h:p:u:U:C:T: opt; do continue; done | |
| CMD="${@:$OPTIND:$#}" | |
| test ! -e "$CMD" && CMD=$(which "$CMD") && CMD=$(readlink -f "$CMD") | |
| if [ -e "$CMD" ]; then | |
| l=($(/bin/ls -l "$CMD")) | |
| [ "${l[0]:2:1}" != "-" ] && [ "${l[2]}" != "root" ] || | |
| [ "${l[0]:5:1}" != "-" ] && [ "${l[3]}" != "root" ] || | |
| [ "${l[0]:8:1}" != "-" ] && { | |
| echo -e "\nALERT: modifiable by non-root:\n\n${l[@]}\n";} | |
| /usr/bin/env sudo "$@" | |
| else | |
| echo "could not resolve location of command $CMD" | |
| fi | |
| } | |
| alias sudo='sudostrict ' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment