[arch-devops] restricting sudoers PATH

Eli Schwartz eschwartz at archlinux.org
Tue Sep 3 14:53:11 UTC 2019

On 9/3/19 10:35 AM, Jelle van der Waa wrote:
> Hi all,
> Thanks to anthraxx, we now restrict the PATH which `sudo
> extra-x86_64-build` and other sudoers specific infra uses using
> restrict_path. To circumvent users overridding their own PATH with tools
> which are used in our build scripts which basically allows privilege
> escalation. [1]
> This shouldn't cause any issues, if they do contact me or anthraxx.
> [1] https://git.archlinux.org/infrastructure.git/commit/?id=1eb1dd41f8c734380a38609f2ae3cb2d37ea1dce

Thanks, anthraxx!

I was a bit surprised to find out that I could just drop arbitrary
scripts like "arch-nspawn" into $HOME/bin and get root on soyuz/dragon
without even trying. :/

Note: this also applied to the "archive" user on orion, which is not a
build box and also wouldn't allow root, but would allow any Dev/TU to
scribble all over archive.archlinux.org (which is supposed to only allow
adding new files, not deleting old ones).

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20190903/6ea960aa/attachment.sig>

More information about the arch-devops mailing list