Skip to content

Remove --sudoers, improve --sudoers-no-modify#745

Merged
brianmay merged 1 commit intosshuttle:masterfrom
skuhl:sudoer-changes
Mar 12, 2022
Merged

Remove --sudoers, improve --sudoers-no-modify#745
brianmay merged 1 commit intosshuttle:masterfrom
skuhl:sudoer-changes

Conversation

@skuhl
Copy link
Contributor

@skuhl skuhl commented Mar 11, 2022

Allowing sshuttle to add/overwrite sudoers configuration file at
locations of the users' choosing adds complexity to the code compared
to asking users to install the sudo configuration themselves. It
requires sshuttle to make decisions about how much effort we put into
ensuring that the file is written to a proper location. The current
method relies on the 'realpath' program which is not installed on
MacOS by default.

There are serious problems when the sudo configuration is used to
allow a user to only run sshuttle as root (with or without a
password). First, that user could then use the --sudoers option to
give other users sudo privileges. Second, the user can run any command
as root because sshuttle accepts a --ssh-cmd parameter which allows a
user to specify a program that sshuttle should run. There may also be
additional issues that we have not identified.

By removing the --sudoers option (and the associated sudoers-add
script), this reduces the problems above. This code keeps the
--sudoers-no-modify feature which prints a configuration to stdout for
the user to install. It includes a clear warning about how --ssh-cmd
could potentially be abused to run other programs.

A warning about some of these issues has been in sshuttle since
version 1.1.0. This commit also adds that warning to more locations in
the documentation.

@skuhl
Remove --sudoers, improve --sudoers-no-modify
f6446b7 
Allowing sshuttle to add/overwrite sudoers configuration file at
locations of the users' choosing adds complexity to the code compared
to asking users to install the sudo configuration themselves. It
requires sshuttle to make decisions about how much effort we put into
ensuring that the file is written to a proper location. The current
method relies on the 'realpath' program which is not installed on
MacOS by default.

There are serious problems when the sudo configuration is used to
allow a user to *only* run sshuttle as root (with or without a
password). First, that user could then use the --sudoers option to
give other users sudo privileges. Second, the user can run any command
as root because sshuttle accepts a --ssh-cmd parameter which allows a
user to specify a program that sshuttle should run. There may also be
additional issues that we have not identified.

By removing the --sudoers option (and the associated sudoers-add
script), this reduces the problems above. This code keeps the
--sudoers-no-modify feature which prints a configuration to stdout for
the user to install. It includes a clear warning about how --ssh-cmd
could potentially be abused to run other programs.

A warning about some of these issues has been in sshuttle since
version 1.1.0. This commit also adds that warning to more locations in
the documentation.
@brianmay
Copy link
Member

brianmay commented Mar 12, 2022

I haven't seen any objections to this proposal in any of the discussions anywhere. Will wait until tomorrow morning, then merge.

@brianmay brianmay merged commit 5719d42 into sshuttle:master Mar 12, 2022
This was referenced Mar 14, 2022
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmay brianmay brianmay approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skuhl @brianmay