Re: [dev] Privilege escalation on remote hosts. MANY remote hosts.

From: Kamil Cholewiński <harry666t_AT_gmail.com>
Date: Fri, 22 Sep 2017 15:28:21 +0200

I love how every discussin here eventually derails into "XYZ sucks".
Yes, XYZ sucks. But FGH sucks more. I want to do what FGH does, because
while FGH sucks, it solves a real-world problem.

Now back to PrivEsc, I actually found Antenore's suggestion inspiring.
It would work if we could force only part of the command to remain
constant, and use the constant part to perform non-interactive
authentication (e.g. by verifying a provided secret). Essentially
delegate authentication to a sub-command in a Bernstein-style exec
chain, like this:

$ sudo -n -- verifyme -- ./my-amazing-script
  ^ substitute doas, sup, etc
             ^ authn helper, no suid
                         ^ arbitrary; exec only if authn successful

Pros:

- Can perform non-interactive verification
- No new suid cruft on your system; can be written in plain sh
- No black magic, keep existing setup almost untouched
- Just one extra rule in sudoers / doas.conf / config.h
- Reuses and plays nice with existing PrivEsc methods

Cons:

- ?

<3,K.
Received on Fri Sep 22 2017 - 15:28:21 CEST