LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-16-2015, 02:06 PM   #1
robinwurl
LQ Newbie
 
Registered: Feb 2015
Posts: 5

Rep: Reputation: Disabled
Question Allow some admin commands but disable sudo and su for a specific user in CentOS 7


I would like to allow user1 to have access to a specific set of administrative commands without sudo or ever allowing user1 to become root.


My understanding is that I can allow user1 to use yum, for example, by having the following in the sudoers file:

<snip>

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
%sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

<snip>

And then adding user1 to the sys group in /etc/group as so:

sys:x:3:user1


But when I try to test this, for example, install wget:

[user1@wz930lin ~]$ yum install wget
Loaded plugins: fastestmirror
You need to be root to perform this command.


Am I going about this the wrong way or missing something?
Thanks for any help with this.
 
Old 07-16-2015, 02:22 PM   #2
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by robinwurl View Post
I would like to allow user1 to have access to a specific set of administrative commands without sudo
Why?
That's exactly what sudo is built for.

Quote:
Originally Posted by robinwurl View Post
My understanding is that I can allow user1 to use yum, for example, by having the following in the sudoers file:

<snip>

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

<snip>

And then adding user1 to the sys group in /etc/group as so:

sys:x:3:user1


But when I try to test this, for example, install wget:

[user1@wz930lin ~]$ yum install wget
Loaded plugins: fastestmirror
You need to be root to perform this command.
That's because you need to use sudo.
 
Old 07-16-2015, 02:39 PM   #3
robinwurl
LQ Newbie
 
Registered: Feb 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
I want to limit user1's command set to basically software installation. Allowing sudo privileges does not. In fact, with sudo they could sudo su and become root which allows them total administrative control of the machine and beyond. For example, this machine uses an NFS share for home directories for all users in the entire department not just the users of this machine. With root access they could become anyone and do whatever they wanted with user's data/files/etc.

I'm fairly certain one can restrict a user to a subset of commands which is what I need.
 
Old 07-16-2015, 03:46 PM   #4
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by robinwurl View Post
I want to limit user1's command set to basically software installation. Allowing sudo privileges does not.
Yes, it does

Quote:
Originally Posted by robinwurl View Post
In fact, with sudo they could sudo su and become root which allows them total administrative control of the machine and beyond.
Only if you let them

Quote:
Originally Posted by robinwurl View Post
For example, this machine uses an NFS share for home directories for all users in the entire department not just the users of this machine. With root access they could become anyone and do whatever they wanted with user's data/files/etc.
Only if you let them

Quote:
Originally Posted by robinwurl View Post
I'm fairly certain one can restrict a user to a subset of commands which is what I need.
There is, it's called sudo...AND you already know how to use it (maybe you didn't notice, but that file you were editing was called /etc/sudoers).

Don't be confused by Ubuntu's idiotic policy of disabling the root account and granting the first user unlimited sudo access. This is not the proper usage of sudo, and while it will let you configure it that way, that's not at all what sudo was designed for.
 
Old 07-16-2015, 03:56 PM   #5
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 6,371
Blog Entries: 6

Rep: Reputation: Disabled
Allowing others other than the root user; the Administrator, is not a wise practice.
To many operators trying to do administrative tasks could lead to havoc or possibly create a mess for the Administrator to clean up. (just a thought)

-:::-I wouldn't do it but here's a few links-::-

Quote:
You can also restrict keys to permissible commands (in the authorized_keys file).

I.e. the user would not log in via ssh and then have a restricted set of commands but rather would only be allowed to execute those commands via ssh (e.g. "ssh somehost bin/showlogfile")
http://stackoverflow.com/questions/4...ds-after-login

http://serverfault.com/questions/569...or-linux-users
http://thenubbyadmin.com/2012/04/11/...ific-commands/

Last edited by Ztcoracat; 07-16-2015 at 03:59 PM.
 
Old 07-16-2015, 05:29 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,374

Rep: Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198
I've never tried it but if you had yum (and maybe supporting tools) in a group that this user is a member of then maybe it would work by means of group membership instead of elevating user.

I'm pretty sure you can fine tune sudo as above but I never use it that way.
 
Old 07-17-2015, 12:23 PM   #7
robinwurl
LQ Newbie
 
Registered: Feb 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
Okay - thanks for all your help and input.
 
Old 07-17-2015, 05:46 PM   #8
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,374

Rep: Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198Reputation: 2198
Errr, what fixed it?
 
Old 07-17-2015, 06:51 PM   #9
normanlinux
Member
 
Registered: Apr 2013
Distribution: Arch and SuSE
Posts: 135

Rep: Reputation: Disabled
sudo is for sudoing

As suicidaleggroll quite rightly said. What you wanted to do is [B]exactly[B] what sudo was created for. It wasn't intended to completely replace root. Since ubuntu pioneered its misuse there has been a lot of confusion.

sudo is not meant to be a replacement for root. It was created so that the administrator - root - could enable specific administrative tasks for specific users without allowing full root access
 
Old 07-17-2015, 07:11 PM   #10
MichaelAyres
LQ Newbie
 
Registered: Sep 2006
Posts: 3

Rep: Reputation: 0
Precede command line command with 'sudo'

If I get Linux correct, by default, a normal user defaults to not be able to execute many commands. To give a particular user some particle right, add a line in the sudoers file asserting that right.

Then that user must proceed her command line command like: sudo apt-get update.
If, the same user issued command: apt-get update, it will fail, as for a regular user, it is only by preceding a command with sudo that the sudoers file is check to see if they have permission for that command object.

This way, a user's discretionary access control (DAC) is controlled granularly for access to execute a particular command 'object', rather than giving her root or some long term admin status.
 
Old 07-17-2015, 09:02 PM   #11
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 6,371
Blog Entries: 6

Rep: Reputation: Disabled
robinwurl:

Can you clarify what fixed this for you and what steps you took?
 
Old 07-18-2015, 10:11 AM   #12
robinwurl
LQ Newbie
 
Registered: Feb 2015
Posts: 5

Original Poster
Rep: Reputation: Disabled
First - let me qualify the environment. It is a virtual machine at a university to be used for a MS program capstone project. And since the students could be expelled from the program for malicious behavior, their incentive to be responsible is great.

Given the replies, I was convinced that what the user needed was sudo privileges because "That's what sudo is built for." I realized that it is extremely difficult, probably impossible, to give a user any amount of root privileges that wouldn't open the door for a malicious opportunity if they were so inclined. And since sudo evocations are logged, that gives me a usage trail.

That said, I did try to hide unneeded parts of my environment from the user such as removing unneeded NFS mount points; attempted to not allow them to use su by adding to sudoers file:

user1 ALL = ALL, !/usr/bin/su

I understand that they could still use su by just coping it and changing the name so, again, if they wanted to be malicious they could.

Some poster's replies offered solutions that may well could have worked, like jefro's, but then qualified their answer with "but I wouldn't do it" so that discouraged me from using those solutions.


Perhaps I shouldn't have marked this question "solved". I am a forum newbie and thought that this was the way to close the thread. Maybe it was inappropriate. Please let me know.
 
Old 07-18-2015, 10:31 AM   #13
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,600

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
copying sudo to use it won't work - Creating the copy removes the setuid bit from it, so that it is no longer privileged... And if you can get the setuid bit set on a root owned file, then you didn't need sudo in the first place.
 
Old 07-18-2015, 10:41 AM   #14
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,957

Rep: Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267Reputation: 1267
Quote:
Originally Posted by robinwurl View Post
attempted to not allow them to use su by adding to sudoers file:

user1 ALL = ALL, !/usr/bin/su
Preventing an sodoer from getting a root shell is a lot harder than that. You also have to consider all commands that have the ability to fork a shell, and that includes most editors, commands like find that can execute abritrary commands, and a whole host of others. Allowing a user to execute "almost anything, but not a shell" is essentially impossible. There are just too many basically innocuous commands that can be coerced into running a shell.
 
Old 07-18-2015, 11:45 PM   #15
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,258

Rep: Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947Reputation: 1947
Quote:
Originally Posted by robinwurl View Post
That said, I did try to hide unneeded parts of my environment from the user such as removing unneeded NFS mount points; attempted to not allow them to use su by adding to sudoers file:

user1 ALL = ALL, !/usr/bin/su
I thought you wanted to give them access to specific commands, not "everything but su". That's a dangerous path. Figure out which specific commands they need access to and only give them access to them, not the other way around.
 
  


Reply

Tags
root, su, sudo, sudoers


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Sudo question specific commands on specific directories slufoot80 Linux - Security 6 12-30-2014 09:57 AM
sudo : removing rights to run all commands for a particular user amit.kanade1983 Linux - Security 1 03-20-2014 03:57 PM
[SOLVED] allow normal user to exec some root commands w/o sudo gujedan Linux - Newbie 12 11-11-2011 12:16 AM
Setting up user to use sudo for specific commands kreed Linux - Newbie 6 05-16-2011 05:43 PM
Displayign what user is running sudo commands jakev383 Linux - Security 1 08-04-2009 04:01 PM


All times are GMT -5. The time now is 09:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration