[sf-lug] user sudo to itself

Michael Paoli Michael.Paoli at cal.berkeley.edu
Fri Oct 14 22:03:02 PDT 2022


On 2022-10-11 22:43, Yong Tang wrote:
> Hi LUGers,
> 
> I have a question about sudo log.
> 
> In my workplace, users need to sudo to a user named "super" to
> escalate their privilege.  When I browsed the /var/log/secure, I found
> some entries like this below:
> 
> ...:sudo:super: .... : USER=super: .....: /sbin/rm -rf /abc/efg: ......
> 
> I can't figure out in what circumstances that an account like "super"
> sudo to itself.  Any help would be appreciated.

Well ... sudo ... if you allow ... or allow and don't disallow, then ... 
it can, so, let's see ...
First of all what would create a log entry looking like that ...
I'll use account test, rather than super ... notably I already have such 
an account,
and for which it is also suitably named, so ...
# SUDO_EDITOR=/usr/bin/ed visudo -f /etc/sudoers.d/test
44
1,$d
0a
test ALL=(ALL:ALL) NOPASSWD: /usr/bin/rm -rf /abc/efg
.
w
54
q
# sudo -l -U test | sed -ne '/may/,$p'
User test may run the following commands on tigger:
     (ALL : ALL) NOPASSWD: /usr/bin/rm -rf /abc/efg
# ls -ld /abc 2>>/dev/null || echo Nope.
Nope.
# su - test
$ id
uid=1009(test) gid=1009(test) groups=1009(test),29(audio),44(video)
$ sudo -u test /usr/bin/rm -rf /abc/efg
$ echo "$?"
0
$ exit
logout
# cd /var/log
# find . -type f ! -mtime +10 ! -size 0 ! -name \*.gz -exec fgrep -al 
/abc/efg \{\} \; 2>>/dev/null
./auth.log
# fgrep /abc/efg auth.log
Oct 15 04:50:09 tigger sudo:     test : TTY=pts/9 ; PWD=/home/t/test ; 
USER=test ; COMMAND=/usr/bin/rm -rf /abc/efg
#
So ... my log entry from that test looks pretty similar to yours.  What 
if anything is surprising?
Do you allow the permitted sudo command(s) to go to user(s) such as 
super, or what target user(s) exactly do
you allow the sudo commands to user as user(s)?  Sure, default is root, 
but one may specify otherwise ...
e.g. I have sudo commands that run not as user root, but group, or group 
and user bind.
What do you get for:
# sudo -l -U super
What relevant entry(/ies) do you have in sudoers(5)?

# SUDO_EDITOR=/usr/bin/ed visudo -f /etc/sudoers.d/test
54
g/^/s/^/#/
w
55
q
#



More information about the sf-lug mailing list