Rate This Document
Findability
Accuracy
Completeness
Readability

Ensuring That sudoers Configuration Does Not Contain Scripts Writable by Unprivileged Users

The sudo command allows regular users to execute specific programs requiring root privileges, guided by the /etc/sudoers configuration file. Administrators can configure rules to run some scripts or binary files with root privileges. Therefore, any script specified in the sudo configuration must be writable only by root. If these scripts are writable by unprivileged users, they could modify the script content to achieve privilege escalation.

  1. Check the /etc/sudoers file to verify whether any programs requiring root privileges are writable by unprivileged users:
    grep "(root)" /etc/sudoers

    The following is an example.

    test_sudo  ALL=(root)  /bin/xxx.sh

    Check the file permission.

    ll /bin/xxx.sh
    -rw-------. 1 root root 451 Mar 27 17:00 /bin/xxx.sh
  2. If any script in /etc/sudoers is writable by unprivileged users, remediate the issue based on your actual service scenarios.
    • Method 1: Modify the file permissions of the scripts in /etc/sudoers. Remove the write permission of unprivileged users to prevent privilege escalation through script tampering..
    • Method 2: Delete the scripts that can be modified by unprivileged users from /etc/sudoers to eliminate the risk of privilege escalation.