Prevent PATH hijacking attack with sudo

author: Dmitry Ilvokhin <d@ilvokhin.com> 2023-12-20 11:51:20 +0000
committer: Dmitry Ilvokhin <d@ilvokhin.com> 2023-12-20 11:51:20 +0000
commit: 616753b16cd7a3d00716047d3e58581c6e37805a (patch)
tree: 61c2bcada80ec0427b8c0200af382a1013cc48df /roles/essential/tasks/sudo.yml
parent: 2a59032badaefc7b7dc86ef18cf5a26b04cac4c1 (diff)
download: infra-616753b16cd7a3d00716047d3e58581c6e37805a.tar.gz
infra-616753b16cd7a3d00716047d3e58581c6e37805a.tar.bz2
infra-616753b16cd7a3d00716047d3e58581c6e37805a.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/roles/essential/tasks/sudo.yml b/roles/essential/tasks/sudo.yml
index 273b99a..e2d4861 100644
--- a/roles/essential/tasks/sudo.yml
+++ b/roles/essential/tasks/sudo.yml
@@ -14,3 +14,18 @@
     owner: root
     group: root
     mode: u+r,g+r,o-rwx
+
+- name: Use hard-coded PATH instead of the user's to find commands
+  ansible.builtin.lineinfile:
+    dest: /etc/sudoers
+    state: present
+    # Double quotes are important here if we want to break the line on multiple
+    # lines, as escaping doesn't work with single quotes.
+    regexp: "^(# )?Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+            /usr/sbin:/usr/bin:/sbin:/bin\""
+    line: "Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:\
+           /usr/sbin:/usr/bin:/sbin:/bin\""
+    validate: "visudo -cf %s"
+    owner: root
+    group: root
+    mode: u+r,g+r,o-rwx
author	Dmitry Ilvokhin <d@ilvokhin.com>	2023-12-20 11:51:20 +0000
committer	Dmitry Ilvokhin <d@ilvokhin.com>	2023-12-20 11:51:20 +0000
commit	616753b16cd7a3d00716047d3e58581c6e37805a (patch)
tree	61c2bcada80ec0427b8c0200af382a1013cc48df /roles/essential/tasks/sudo.yml
parent	2a59032badaefc7b7dc86ef18cf5a26b04cac4c1 (diff)
download	infra-616753b16cd7a3d00716047d3e58581c6e37805a.tar.gz infra-616753b16cd7a3d00716047d3e58581c6e37805a.tar.bz2 infra-616753b16cd7a3d00716047d3e58581c6e37805a.zip