[arch-devops] restricting sudoers PATH
Eli Schwartz
eschwartz at archlinux.org
Tue Sep 3 14:53:11 UTC 2019
On 9/3/19 10:35 AM, Jelle van der Waa wrote:
> Hi all,
>
> Thanks to anthraxx, we now restrict the PATH which `sudo
> extra-x86_64-build` and other sudoers specific infra uses using
> restrict_path. To circumvent users overridding their own PATH with tools
> which are used in our build scripts which basically allows privilege
> escalation. [1]
>
> This shouldn't cause any issues, if they do contact me or anthraxx.
>
> [1] https://git.archlinux.org/infrastructure.git/commit/?id=1eb1dd41f8c734380a38609f2ae3cb2d37ea1dce
Thanks, anthraxx!
I was a bit surprised to find out that I could just drop arbitrary
scripts like "arch-nspawn" into $HOME/bin and get root on soyuz/dragon
without even trying. :/
Note: this also applied to the "archive" user on orion, which is not a
build box and also wouldn't allow root, but would allow any Dev/TU to
scribble all over archive.archlinux.org (which is supposed to only allow
adding new files, not deleting old ones).
--
Eli Schwartz
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190903/6ea960aa/attachment.sig>
More information about the arch-devops
mailing list