Creating a file, let’s name it root, with the content seen in the screenshot below and executing the command sudo /usr/bin/cp -t /etc/sudoers.d/ root *.pem /etc/ssl/certs allows the user sailpoint to execute any command as root afterwards.
In practice the virtual appliance is a single user system that user is intended to be an administrator. The assignment of a user rather than a root is intended to prevent the installation of unsupported applications.
SailPoint’s Virtual Appliances come with limited SUDO permissions for the ‘sailpoint’ user in order to reduce the chance of an incorrect configuration breaking the Virtual Appliance and thus causing an outage for a customer tenant’s critical functionality that relies on Virtual Appliances. SailPoint is not responsible for such an outage, and it would not count against contractual uptime Service Level Agreements.
These restrictions are not built as a security control and should not be relied on for that purpose. However, bypassing these restrictions does enable administrators to more easily get access to sensitive data stored on the Virtual Appliance’s disk such as the VA Cluster key and other encryption related data. Since the Virtual Appliance runs on infrastructure controlled by the customer, we do not consider this a security risk because a sufficiently advanced administrator is able to access this data in other ways without bypassing SUDO restrictions.
Bypassing the SUDO restrictions may make a Virtual Appliance unstable and unsupported. SailPoint’s automation will reset the modified SUDO permissions periodically, and we strongly recommend not taking actions that cause the bypass to persist. Unlike commands run with the sudo command prefix, commands run using the root user shell are not logged into the Virtual Appliance’s security journal.
SailPoint does not support any actions taken outside of the configured, limited SUDO permissions. You are on your own if you take these actions.
Hi @pierre_mouallem, while I understand some of your arguments, I think this goes against the “defence in depth” practice, which would definitely be expected from a tool that has “Security” in its name.
I still think that the current sudoers configuration is buggy, by allowing execution of commands that are not supported.
What I am missing from your answer is: “we will carefully review the current sudoers configuration and we will tighten the security around the sudoers file, so that an escalation is not possible anymore”.
SailPoint does not support any actions taken outside of the configured, limited SUDO permissions.
Technically the commands presented are within the configured, limited sudo permissions.
Another argument is that with the incorrect sudoers people can look into how the CCG, VA_Agent works and even manipulate in order to exploit it and have it provision on the company target systems.
this is very worrying. And it was not the answer i was expecting to be honest.
