LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-15-2009, 11:44 PM   #1
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,143
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Thumbs up disable sudo su -


Hi,

I have sudo user prayag with following settings in visudo:

prayag ALL=(ALL) NOPASSWD: ALL


Now,prayag can enter the command

sudo su -
and login as root

i want to disable this feature(sudo su -)


how is it possible?
 
Old 09-16-2009, 01:09 AM   #2
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
You should look into the commands you want to allow prayag to have and then limit them to that because their are several other methods that this user can use to get full root. But as it goes the difference between giving a user full sudo privilages is not far off from full root, they just need to mess about with their $PATHs and put sudo infront of everything...

Their is also "sudo /bin/sh" or "sudo /bin/bash" what would have similar effects to "sudo su -" or "sudo passwd root" to reset the root password. I would look more into actually setting proper sudo privilages and limiting what commands the user has access to.
 
Old 09-16-2009, 11:44 PM   #3
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,143
Blog Entries: 4

Original Poster
Rep: Reputation: 147Reputation: 147
Thumbs up

Hi,

I have to allow
prayag ALL=(ALL) NOPASSWD: ALL

i.e sudo to all command except the ones which gives them root shell is it possible to achieve this...???
 
Old 09-17-2009, 12:28 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,356

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
Only if you can list all the cmds you want to allow and you are certain none of them allows a shell escape. Harder than you think.
sudo enables specified cmds, there's no way to specify disallowing cmds. It just disallows any cmds not listed (ie that aren't specifically listed/enabled).
 
Old 09-17-2009, 12:30 AM   #5
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 6/7
Posts: 1,375

Rep: Reputation: 216Reputation: 216Reputation: 216
This isn't possible,

Even if you limited it down to all the basic methods, if your giving them sudo, you are still giving them the ability to install a shell and then run it as root... Also even if you remove all but root shells, giving them sudo to everything else means they can do anything root can do via the use as sudo and view everything root can see. It's pointless to give them EVERYTHING else but direct root logins since they can still do whatever it is you don't want them do via sudo. Review what commands they actually need and then limit the sudoers file to just those commands and only those commands.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
Problem with SUDO : sudo: pam_authenticate: Module is unknown cristoph_ Linux - Software 2 03-02-2009 07:12 PM
sudo blkid vs. sudo fdisk -l problems alienexplorers Linux - Newbie 1 01-13-2009 12:35 AM
How can I disable "sudo -s -H"? jeewiz Linux - Security 5 07-26-2008 05:59 AM
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 03:20 PM


All times are GMT -5. The time now is 07:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration