Explicit arguments in sudo specifications
An XCCDF Rule
Description
All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
warning alert: Warning
root ALL=(ALL) echo 1\,2
allows root to execute echo 1,2
, but the check would interpret it as two commands echo 1\
and 2
.warning alert: Warning
Rationale
Any argument can modify quite significantly the behavior of a program, whether regarding the realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the level of its specification. For example, on some systems, the kernel messages are only accessible by root. If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted in order to prevent the user from flushing the buffer through the -c option:
user ALL = dmesg ""
- ID
- xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args
- Severity
- Medium
- References
- Updated