Quote:
Originally Posted by linux4evr5581
(Post 5612906)
Well with preventing a user from going into a shell i'm pretty sure all you do is put an ! after their name in /etc/shadow file...
|
There are still plenty of ways around that. Whitelisting is not where you make a list of programs which the account is not allowed to run. That is blacklisting and does not work. Whitelisting is where the allowed actions are listed one by one. An example follows below.
Quote:
Originally Posted by linux4evr5581
(Post 5612906)
But in the case of locking down sudo isnt that relevent when you're an administrator and you have users who need sudo. Wouldnt that be the exception? Unless the better option which I learned from MWL (havent watched the whole vid yet) is just not to use sudo, but instead use groups who have a specific role. Unless you wanted to write policies for every sudo user. Not sure what would be more secure...
|
Yes. Where possible, using group privileges instead of sudo is a better option. So if you want access to a file or a directory, groups are the way to go. However, with services 'sudo' is necessary.
Locking down "sudo" means whitelisting actions. If you
want someone to get root shell, you simply add them to a group that can do so. The following line does that and more for the group sudo:
Code:
%sudo ALL=(ALL:ALL) ALL
Though once they have root shell, the 'and more' part is redundant. If your
/etc/sudoers file has that line, don't add accounts to the group sudo. Make a new group for each set of tasks, and add accounts to those groups as needed.
Code:
%sudo ALL=(root:root) /usr/sbin/visudo ""
%admin ALL=(root:root) /usr/bin/apt-get
%webmasters ALL=(root:root) /usr/sbin/service apache2 start, /usr/sbin/service apache2 stop, \
/usr/sbin/service apache2 restart, /usr/sbin/service apache2 status
So there, the accounts in sudo can run amok. The accounts in admin can install or remove programs from the official repository. Those in webmasters can start or stop the web server which, when combined with group write access to various files, is enough to administer the web server. Those in both groups can do either. If you need only to write web pages, then "sudo" is not needed and
groups are enough.
However, even with the admin and webmasters examples above, there are probably ways around "apt-get" itself and maybe Apache via the configuration files. The former could certainly be more compartmentalized. However, "sudo" is a helper for people you already trust. If you don't trust them, they should not be working for you. And as far as intruders go, they've already gotten in too far and you missed detecting them in time.