AIXTOOLS, IBM AIX and POWER Portal

AIX => AIXTOOLS => Topic started by: bhm on February 09, 2021, 03:38:20 PM

Title: New version based on SUDO 1.9.5p2 ?
Post by: bhm on February 09, 2021, 03:38:20 PM
Hello !

First, thanks for your great job, it helped me a lot for bypassing a lot of annoying dependancies (SUDO and Python3)

Following "CVE-2019-14287 sudo Vulnerability", do you plan to deliver a new version of SUDO ?
I can handle with RPMs, but your solution is cleaner so far...

Thanks in advance.

Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: dke on February 10, 2021, 02:27:49 PM
+1
Thanks
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 10, 2021, 07:09:23 PM
Sure - I no longer try and do those in advance.

Any interest in an RBAC enabled sudo. It works just the same - BUT - as an addition, a user needs to have an RBAC authtification (I have an example on how to set it up).

On the outside - the biggest change is that the binary is no rwsr-xr-x for root, but (for the viewer: r-x------ sudo_usr sudo_grp).

I'll look into tomorrow.

p.s. Assuming sudo now has a gitbub (mirror) I'll fork that and post any changes I make for RBAC. Otherwise, it is just code 'as-is'.
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 11, 2021, 07:28:08 AM
New version is available at: http://download.aixtools.net/tools/aixtools.sudo.1.9.5.1602.I

Note - the wiki is not updated yet. Just to be sure - test install on a scratch server.

And, contrary to previous policy - if it sees an existing sudo installation - it stops (read aborts) installation.

Code: [Select]
if rpm -q sudo >/dev/null 2>&1 || lslpp -L sudo.rte  >/dev/null 2>&1; then
        cat <<EOF 2>&1
+-----------------------------------------------------------------------------+
Another version of sudo is currently installed.
The versions should not override each other - but  - to be safe - AIXTOOLS
will not install sudo until it has been removed.

Be sure to save any configuration files before you remove the old and note
that the default locations for AIXTOOLS is /var/sudo/etc and /opt/bin
+-----------------------------------------------------------------------------+
EOF
exit 1
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 11, 2021, 08:47:16 AM
Hello !

First, thanks for your great job, it helped me a lot for bypassing a lot of annoying dependancies (SUDO and Python3)

Following "CVE-2019-14287 sudo Vulnerability", do you plan to deliver a new version of SUDO ?
The old version (1.8.31) was already patched for this (1.8.28 and earlier)
Quote
I can handle with RPMs, but your solution is cleaner so far...
Thx!
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: bhm on February 18, 2021, 04:02:00 PM
Yeah !!! Great !

Can you please give an example for RBAC authtification for users ?

sudo-ldap was very easy with no extra config.


Thanks again

Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 18, 2021, 05:36:41 PM
OK. Sudo-ldap was 1.8.31 still. For the sudo-rbac, I'll need to build a new one.

The key elements: sudo is not SUID (root), it is 'just an application' - that I setup to be owned by 'sudo' - and it runs, under the covers, as SUID (sudo) so that it can read and edit the sudo-config files.

From my presentation - in 2017 - I have this as the basic setup after installation:


mkauth sudo
setkst
mkrole authorizations='sudo' dfltmsg='sudoers role' sudoers
setkst


setsecattr -c accessauths=sudo innateprivs=PV_DAC_GID,PV_DAC_R inheritprivs=PV_ROOT secflags=FSF_EPS /opt/bin/sudo
setkst

chmod og-rwx /opt/bin/sudo

mkuser roles=sudoers michael
pwdadm michael
Changing password for "michael"
michael's New password:
Setting "michael's" password to NULL.


As root: add michael as a sudoer

vi /var/sudo-rbac/etc/sudoers
# add michael as test user
michael ALL=(ALL) ALL


And working with sudo - as michael:


ls -l /opt/bin/sudo
-rws------    1 bin      bin          431763 Sep 25 20:42 /opt/bin/sudo

sudo ls /etc/security
ksh: sudo: 0403-006 Execute permission denied.

michael@x065:[/home/michael]swrole sudoers
michael's Password:

michael@x065:[/home/michael]sudo ls /etc/security

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
acl              domains          ice              mkuser.default   privcmds         pwdhist.dir      smitacl.user     user.roles
aixpert          domobjs          lastlog          mkuser.sys       privcmds.backup  pwdhist.pag      sysck.cfg
audit            environ          ldap             passwd           privdevs         roles            tsd
authorizations   fpm              limits           portlog          privfiles        services         tss
certificates     group            login.cfg        priv             pwdalg.cfg       smitacl.group    user

michael@x065:[/home/michael]ls /etc/security
ls: /etc/security: The file access permissions do not allow the specified action.


* So, the key difference is that sudo is not SUID root - and only users with a active role can execute sudo.
* that is, if you do not have the role to access sudo - you cannot even probe if the setup is weak.
* without RBAC as a security mechanism - everyone can execute sudo - and it is up to the sudo configuration to stop - after the fact - unauthorized users.
* the rest of the configuration is the same
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: bhm on February 19, 2021, 10:36:52 AM
Hi Michael,

Ok , that's also a great solution.

When I'm checking build options, I see "--without-ldap", which cause SUDO to use IBM libs.. and seems to block me. Am I right ?
Your previous SUDO-LDAP was using openldap libs and built with "--with-ldap" option.

For now, I managed to patch AIX 6.1 and 7.x with RPM without too much difficulties and openldap libs. But AIX 5.3 make some resistance with RPMs... :-)

Thanks again.

Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 19, 2021, 04:41:15 PM
sudo-ldap will do either IBM ldap - if that software is installed, or openldap - if that is installed.

sudo or sudo-ldap - if integrated with RBAC - is only suitable for AIX 6.1 and later.

Are you interested in my packaging of sudo for AIX 6.1/7.1 - as you have already updated?

I'll get several versions re-made next week. Off to see my grandson! Priorities!

Michael

p.s. - AIX 5.3 - TL12 I hope - if not, let me know - I'll reinstall my TL7 image).
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: bhm on February 19, 2021, 04:49:16 PM
Hi Michael !

Enjoy you family time !!

All AIX 6.1 and 7.1 are patched with RPM version now on my side.

Only AIX 5.3 TL12 SP9 remaining. I used "aixtools.sudo-ldap.1.8.31.1.I" version on them last year and it worked perfectly.
I was looking for the same but with SUDO 1.9.5p2

Thanks
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 19, 2021, 06:30:47 PM
OK. Now I know what to build. Much easier to plan!

btw: the CVE mentioned was already patched in the 1.8.31 version. The CVE was valid for 1.8.28 and earlier - if I read that correctly.
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 20, 2021, 12:32:25 PM
If all is working well: http://download.aixtools.net/tools/aixtools.sudo-ldap.1.9.5.1602.I should work on your AIX 5.3 systems
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: bhm on February 22, 2021, 09:16:03 AM
Hello Micheal,

And it is a success !!! Few reconfiguration to match my config files, that's normal... It is perfect !!!

I've tested it on AIX 5.3 TL12 and 7.1 TL05

Again, thank you for all your work on your Tools, you releive our AIX Admin brains, and your huge reactivity on that case :-)


Bye !
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: Michael on February 22, 2021, 09:26:50 AM
I suppose I should consider asking $$ or euros - does this save you $$ time or effort?
Title: Re: New version based on SUDO 1.9.5p2 ?
Post by: bhm on February 22, 2021, 09:43:55 AM
Hi !

Mmm... For AIX 7.1 and 6.1, it is efforts and time.

For AIX 5.3, it can transform in penalties not to be compliant regarding security breaches like this last one.
Even if those OS versions are hundred years old...

You should start by adding "Donation" box on the homepage, so anybody can participate :-)

Bye.