Which means, ec2-user is allowed to run any command, without providing a password, while logged in from any machine. But only as root—since the
ec2-user ALL = NOPASSWD: ALL
Runas_Specis missing, the default of
This is entirely pointless because it also ships with the common PAM configuration, in which /etc/pam.d/su contains:
So the game of Simon Says, in order to bypass the root-only sudo restriction so you can run as any user, password-free, without touching files in /etc in advance, becomes:
auth sufficient pam_rootok.so
Normally, su uses the shell for the user as listed in /etc/passwd, but if we're interested in a
sudo su -s /bin/bash $TARGET_USER <pwn.sh
/sbin/nologinaccount, then we can set any other shell listed in
When you give any account root access, they probably have the whole machine. I'm not sure what sudo was hoping to accomplish by "limiting" the default Runas_Spec to root.
* It also ships with
Defaults requirettywhich means you actually need someone to allocate you a controlling terminal for sudo to work, even though ec2-user doesn't need a password, and visiblepw is disabled by default.
Post a Comment