Closed KaidenP closed 8 years ago
You can avoid this behaviour using this unnoficial and sentora team unsupported security script (still work in progress) http://sentora-paranoid.open-source.tk/
Only Ubuntu is covered, but any help is welcome
Ok, however is there a way to secure zsudo without apparmor or SELinux? Neither work on my server.
I started a package of scripts to remove completely zsudo and touch all sources that require it to use small secured predefined scripts, one per function called.
It needs only I complete it.... it is on the table since many weeks, but i was too much loaded and also too much tired to work more on them after dinner... I'll try to release them this week.
Are they on github?
@5050 This needs to go out for the next release. Please advise when you have completed the new scripts.
Notice we only require it for apache in sentora core. Could be easily replaced with a script. Issue with keeping compatibility with other modules.
M B
zsudo will be removed. Also sentora was never made to be used with shared SSH. Closing it.
I was Checking out the zsudo file located at /etc/sentora/panel/bin/zsudo, and noticed that it can grant any local user root privileges. See the following:
Executed as root:
Login as tmp-user:
And BAM! You now have a root shell.