diff options
| -rw-r--r-- | README.md | 27 |
1 files changed, 20 insertions, 7 deletions
@@ -979,7 +979,7 @@ Rootly Powers and Processes /usr/bin/chfn ``` - `/usr/bin/su` needs the setuid permission so that any user can attempt to run commands commands as another user. + `/usr/bin/su` needs the setuid permission so that any user can attempt to run commands as another user. In order to verify this attempt, the program needs root privilege to verify credentials and access. `/usr/bin/chsh` needs permission to edit the `/etc/passwd` file which is owned by root. Any user on the system @@ -990,19 +990,32 @@ Rootly Powers and Processes `/usr/bin/sudo` needs root privilege to execute a command as another user and very credentials and access. This program can be run by any user to try to escalate their privilege. - ```bash - モ ls -alh /usr/bin/su - -rwsr-xr-x. 1 root 82K Jul 19 04:56 /usr/bin/su* - ``` - + `/usr/bin/crontab` can be executed by any user because every user can have their own crontab entries. + The crontab files are only writable by the root user so the crontab program needs to run as root. 2. Enumerate a sequence of commands that let you modify someone’s password entry, and show how you could cover your tracks. Assume you had only sudo power (all commands allowed, but not shells or su). + + 3. Create two entries for the sudoers configuration file: - a. One entry that allows users Matt, Adam, and Drew to service the printer, to unjam the printer, and to restart printer daemons on the machine printerserver. + a. One entry that allows users Matt, Adam, and Drew to service the printer, + to unjam the printer, and to restart printer daemons on the machine printerserver. + + ```text + User_Alias PRINT_ADMINS = matt, adam, drew + Cmnd_Alias PRINTER_MGMT = /usr/bin/lp, /usr/sbin/lpc, /usr/bin/lprm, /usr/bin/lpq, /usr/sbin/lpmove, /usr/bin/lpstat, /usr/bin/systemctl restart cups.service + PRINT_ADMINS printerserver= PRINTER_MGMT + ``` + b. One entry that allows Drew, Smihgr, and Jim Lane to kill jobs and then reboot the machine. + ```text + User_Alias ADMINS = Drew, Smihgr, Jim Lane + Cmnd_Alias REBOOT = /usr/sbin/shutdown, /usr/bin/kill + ADMINS localhost = REBOOT + ``` + ## Lab 5 1. Write a shell script to help monitor the health of your /etc/passwd file. |