LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 04-09-2011, 12:56 PM   #1
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Rep: Reputation: 2
After modifying /etc/sudoers file, new users can not run specified commands


Hello:


This is an ubuntu 10.10 notebook edition.
After modifying /etc/sudoers file, new users can not run specified commands.

Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

User_Alias SUDOMODIFIERS = bob, scott

# Cmnd alias specification

Cmnd_Alias SUDOCMDS = /sbin/shutdown, /etc/passwd, /etc/group

# User privilege specification
root    ALL=(ALL) ALL

SUDOMODIFIERS All= SUDOCMDS

#USERS All = SHUTDOWN_CMDS

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

bob and scott can not shut down, nor can they open /etc/passwd or /etc/group files.



mansour
 
Old 04-09-2011, 06:06 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Thoughts:
  • SUDOCMDS looks incorrect to me. You've specified that SUDOMODIFIERS can execute /etc/passwd and /etc/group.
  • Are you editing /etc/sudoers directly, or are you using visudo(8)? You should only be doing the latter.
  • Are you sure you want these users to be able to modify /etc/passwd and /etc/group? If so, they should be doing so using vipw(8) and vigr(8), not editing them directly. Also, if so: you are effectively handing over root access to a mischievous user.
 
Old 04-09-2011, 06:55 PM   #3
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by anomie View Post
Thoughts:
  • SUDOCMDS looks incorrect to me. You've specified that SUDOMODIFIERS can execute /etc/passwd and /etc/group.
  • Are you editing /etc/sudoers directly, or are you using visudo(8)? You should only be doing the latter.
  • Are you sure you want these users to be able to modify /etc/passwd and /etc/group? If so, they should be doing so using vipw(8) and vigr(8), not editing them directly. Also, if so: you are effectively handing over root access to a mischievous user.
Hello anomie:

You said SUDOCMDS looks incorrect. How do you mean? what is incorrect?
I am using sudo visudo command actually.

By the way, I am just trying to learn how to do this modification properly, these users aren't real people, and there isn't any critical data here.


mansour
 
Old 04-09-2011, 07:03 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
The way you've configured sudoers(5), you are saying you want certain users to be able to execute /etc/passwd and /etc/group. That doesn't make sense - neither of those is a script or binary (i.e. executing them is not possible, or even desirable).

Even if you were to give them access to an editor to edit only those two files (by way of a wrapper script), locking this down is still an extremely difficult proposition.

For the sake of learning (on a non-'net connected test system), you might give them access to /usr/sbin/vipw and /usr/sbin/vigr. But I'd advise you to never do this on a production system.
 
Old 04-09-2011, 08:33 PM   #5
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by anomie View Post
The way you've configured sudoers(5), you are saying you want certain users to be able to execute /etc/passwd and /etc/group. That doesn't make sense - neither of those is a script or binary (i.e. executing them is not possible, or even desirable).

Even if you were to give them access to an editor to edit only those two files (by way of a wrapper script), locking this down is still an extremely difficult proposition.

For the sake of learning (on a non-'net connected test system), you might give them access to /usr/sbin/vipw and /usr/sbin/vigr. But I'd advise you to never do this on a production system.

Actually I picked that up on an Internet site about sudoers file. The /etc/passwd and /etc/group I mean. But why is it that these users can not shut down from command line?


mansour
 
Old 04-09-2011, 09:31 PM   #6
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, Mint
Posts: 7,411

Rep: Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403
I think the correct syntax for the shutdown command would be something like

Code:
[username] ALL=[path]
as in

Code:
[username]  ALL=/sbin/shutdown
Check where "shutdown" is located in your distro.
 
Old 04-10-2011, 12:04 PM   #7
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by frankbell View Post
I think the correct syntax for the shutdown command would be something like

Code:
[username] ALL=[path]
as in

Code:
[username]  ALL=/sbin/shutdown
Check where "shutdown" is located in your distro.

Actually here it is,

# All the shutdown commands
Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt


Based on this Ubuntu community Guide:

https://help.ubuntu.com/community/Sudoers


mansour
 
1 members found this post helpful.
Old 04-10-2011, 01:47 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by mansour
Actually I picked that up on an Internet site about sudoers file. The /etc/passwd and /etc/group I mean. But why is it that these users can not shut down from command line?
That's the problem with 'net tutorials. Take them with a grain of salt, and be careful about deploying them without properly testing first (which is what you're doing now).

Are you invoking shutdown(8) using the FQ path?

Code:
$ sudo /sbin/shutdown -h now
 
Old 04-10-2011, 01:57 PM   #9
EDDY1
Guru
 
Registered: Mar 2010
Location: Oakland,Ca
Distribution: wins7, Debian wheezy
Posts: 5,084

Rep: Reputation: 448Reputation: 448Reputation: 448Reputation: 448Reputation: 448
You have shutdown commands commented out.
remove "#"

Quote:
# User privilege specification
root ALL=(ALL) ALL

SUDOMODIFIERS All= SUDOCMDS

#USERS All = SHUTDOWN_CMDS#

Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
 
Old 04-10-2011, 04:02 PM   #10
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by anomie View Post
That's the problem with 'net tutorials. Take them with a grain of salt, and be careful about deploying them without properly testing first (which is what you're doing now).

Are you invoking shutdown(8) using the FQ path?

Code:
$ sudo /sbin/shutdown -h now


No I wasn't, but then I tested the FQ path after seeing your post, and still didn't work.

$ sudo /sbin/shutdown -h now


mansour
 
Old 04-10-2011, 04:08 PM   #11
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by EDDY1 View Post
You have shutdown commands commented out.
remove "#"
No that was a different set of commands I commented out.



Code:
                                                           

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# User_Alias SUDOMODIFIERS = mdav

User_Alias USERS = scott, bob

# Cmnd alias specification

# Cmnd_Alias SUDOCMDS = /sbin/shutdown

Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt

# User privilege specification
root    ALL=(ALL) ALL

# SUDOMODIFIERS All= SUDOCMDS

USERS All = SHUTDOWN_CMDS

#USERS All = SHUTDOWN_CMDS

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

mansour
 
Old 04-11-2011, 04:27 PM   #12
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by mansour
No I wasn't, but then I tested the FQ path after seeing your post, and still didn't work.
How's that? Error message?
 
Old 04-11-2011, 08:44 PM   #13
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, Mint
Posts: 7,411

Rep: Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403Reputation: 1403
Quote:
Originally Posted by mansour View Post
# All the shutdown commands
Cmnd_Alias SHUTDOWN_CMDS = /sbin/shutdown, /sbin/reboot, /sbin/halt
Thanks.
 
Old 04-12-2011, 09:41 PM   #14
mansour
Member
 
Registered: Nov 2010
Location: Toronto, Canada
Distribution: Ubuntu 10.04 Lucid Lynx - Ubuntu 10.10 notebook - Debian 5.08 - Win XP
Posts: 172

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by anomie View Post
How's that? Error message?
"new user (bob) does not have sudo powers, incident will be reported", this is the message I am getting.

And he can not shut down from command line, or even soft shut down.


mansour

Last edited by mansour; 04-12-2011 at 09:49 PM.
 
Old 04-13-2011, 09:05 AM   #15
SL00b
Member
 
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375

Rep: Reputation: 111Reputation: 111
Apparently you're not using visudo to edit this. The syntax of your statement "SUDOMODIFIERS All= SUDOCMDS" looks strange, because the spaces are off around the = sign and the "All" is mixed case. So I opened my sudoers file in visudo, and while it didn't mind the spacing, it did mind the mixed case. When I changed "All" to all caps, it was fine. Try making that fix yourself and see how it works out. Also, use visudo to edit it, instead of vi/vim.

As mentioned before, you can't use sudo to control access to individual files, because sudo only focuses on rights to execute programs, so the references to /etc/passwd and /etc/group can be removed. That means that all you're trying to accomplish here is to grant two users access to the shutdown command, which can be accomplished a lot simpler. Just create a user group (for the purposes of this example, we'll call it "shutdown"), and add this line to the user privilege section:

Code:
# User privilege specification
root    ALL=(ALL) ALL
%shutdown       ALL = /sbin/shutdown
The Cmnd Alias specifications are all well and good when you need to grant users access to long lists of commands, but since you're only doing one here, it's overkill.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it possible to run the interfaces file after modifying? nhammoud Linux - Networking 4 01-27-2011 10:14 AM
[SOLVED] Can't Execute Commands as sudo Nor Access Sudoers File in Mandriva 2010.1 gdawg Linux - Newbie 4 08-17-2010 01:32 PM
Where is the log file for all commands that have been run? byronk Linux - General 3 04-06-2006 02:42 PM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM
Allowing users to run commands davee Linux - Security 1 01-27-2003 05:54 AM


All times are GMT -5. The time now is 01:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration