LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 01-14-2013, 09:19 AM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,900

Rep: Reputation: 73
Question Help Limit Sudo Access For Script


I have a developer on my Linux server who needs to have a small custom Bash script ran manually which lives in /etc/init.d/ folder:

Code:
[root@cq init.d]# ls -l myscript
-rwxrwxr-x 1 root root 1301 Feb 14  2012 myscript
I don't just want to give this or possibly more developers blind full sudo access to the entire server. My question is how can I limit the users sudo access to run this script and not have to give them more access than they need? I'm not sure if it's necessary to see what exactly the script is doing and where it's doing it so I will just leave it at this for now and can post more details if need be.

So I just want this user to be able to run this scrip as sudo but have sudo limit her ability to what she can and can't do as an elevated user.

Thanks for any info.
 
Old 01-14-2013, 09:39 AM   #2
Snark1994
Senior Member
 
Registered: Sep 2010
Location: Wales, UK
Distribution: Arch
Posts: 1,632
Blog Entries: 3

Rep: Reputation: 345Reputation: 345Reputation: 345Reputation: 345
Not difficult. In your sudoers, just add:

Code:
herUsername ALL=(ALL) /path/to/her/script
Then she should be able to run only that script as sudo, and not be able to run any other commands as sudo.

However, you probably want to ensure she doesn't have write access to the script (otherwise she could put 'sh' in there and get a full shell!). So you want to take a copy of her script, make sure she can't alter the copy, and then allow her to run the copy as sudo.

Last edited by Snark1994; 01-14-2013 at 09:41 AM.
 
Old 01-14-2013, 11:53 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
...additionally:
Quote:
Originally Posted by carlosinfl View Post
I'm not sure if it's necessary to see what exactly the script is doing and where it's doing it so
no, as long as you're aware of what it does and how it does it. Might be stating the obvious but if a script allows the user to 'su -l' (or see 'man sudoers': NOEXEC examples), well, then that's it.
 
Old 01-15-2013, 02:09 AM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
Indeed; some cmds/tools do allow (or can be 'crashed' to allow) access to a shell.
Have a good read of the sudoers page http://linux.die.net/man/5/sudoers, with special ref to the Security Notes & Preventing Shell Escapes sections at the bottom there ...

Note that the perms you've got at the moment allow anyone to run it, without sudo...
You could possibly create a dedicated group for just running that file and only put that one user in that group and use group execute perms; no need for sudo.
 
Old 01-15-2013, 05:00 PM   #5
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,236

Rep: Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577
Quote:
Originally Posted by unSpawn View Post
...additionally:

no, as long as you're aware of what it does and how it does it. Might be stating the obvious but if a script allows the user to 'su -l' (or see 'man sudoers': NOEXEC examples), well, then that's it.
Actually I think you do need to know what it does, as well as HOW.

One thing to restrict is parameters. The script may be subject to something like

sudo script '`/usr/bin/sh`'

Or some other shenanigans with parameters, environment, or other substitutions...
 
Old 01-16-2013, 07:01 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by jpollard View Post
Actually I think you do need to know what it does, as well as HOW.
That actually is what I said. You only read what I wrote differently :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Limit sudo access - No Password Prompt idny Linux - Security 6 02-18-2011 09:49 PM
sudo access for a user to a script kaplan71 Linux - Security 1 01-18-2011 01:28 PM
pam_limits(sudo:session): wrong limit value 'unlimited' for limit type 'soft' pankajd Linux - Software 3 12-28-2010 09:59 PM
Script needed to get users with sudo access mikeb75 Linux - Server 1 12-01-2009 12:21 PM
limit sudo darkarcon2015 Linux - Security 3 09-06-2006 04:39 AM


All times are GMT -5. The time now is 08:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration