ec2-user ALL = NOPASSWD: ALL
Which means, ec2-user is allowed to run any command, without providing a password, while logged in from any machine. But only as root—since the Runas_Spec is missing, the default of (root) is assumed.This is entirely pointless because it also ships with the common PAM configuration, in which /etc/pam.d/su contains:
auth sufficient pam_rootok.so
So the game of Simon Says, in order to bypass the root-only sudo restriction so you can run as any user, password-free, without touching files in /etc in advance, becomes:
sudo su -s /bin/bash $TARGET_USER <pwn.sh
Normally, su uses the shell for the user as listed in /etc/passwd, but if we're interested in a /sbin/nologin account, then we can set any other shell listed in /etc/shells with the -s flag.When you give any account root access, they probably have the whole machine. I'm not sure what sudo was hoping to accomplish by "limiting" the default Runas_Spec to root.
* It also ships with
Defaults requiretty which means you actually need someone to allocate you a controlling terminal for sudo to work, even though ec2-user doesn't need a password, and visiblepw is disabled by default.
No comments:
Post a Comment