Preventing regular scripts to gain root access through sudo in RHEL

Solution Verified - Updated -

Issue

After configuring /etc/sudoers or /etc/sudoers.d/ to allow users to run a script as root, a malicious code can be inserted into this script and then be run as root, as in the example:

# cat /etc/sudoers.d/john
john ALL=(root) NOPASSWD: /home/john/harmless.sh

As user john, the script is modified with malicious code:

[john@lab ~]$ cat harmless.sh
su -   <====== changed/inserted after sysadmin had inspected the content's file and had configured /etc/sudoers.d/john above

[john@lab ~]$ sudo ./harmless.sh
Last login: Ter Mar 19 14:07:39 -03 2019 on pts/1
[root@lab ~]# 

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 7.2 and above
  • sudo
    • 1.8.6p7-16.el7 and above

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content