loading...

Cheap sudo tricks

lbonanomi profile image lbonanomi ・1 min read

It's easier to ask forgiveness than it is to get permission.
-- Grace Hopper

I've done ops work under various titles for various employers for the last 15 years. If memory serves every one of them has given the ops-geeks sudo rules that allowed sudo chmod and sudo chown to run as root, but would choke on a request for sudo -i. Here's why that's a stupid policy:

  1. Create an SSH key on your local box if you don’t have one already.

  2. Connect to a target box, and cd to ~roleaccount.
    If ~roleaccount/.ssh exists, change permissions on it to allow you to read and write. Otherwise, create ~roleaccount/.ssh

  3. cd to ~roleaccount/.ssh and sudo chmod o+wx authorized_keys.

  4. Edit the authorized_keys file to append your public key.

  5. Restore permissions on authorized_keys

  6. Go up to ~roleaccount and restore permissions on .ssh

  7. From your local box: ssh roleaccount@target_host

If you reset permissions correctly, you have just connected directly as roleaccount.

This isn't a stealthy method of switching to another user, so please be ready to explain yourself if there's an audit.

Posted on by:

lbonanomi profile

lbonanomi

@lbonanomi

Internet loudmouth since 1996

Discussion

pic
Editor guide