LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-17-2012, 06:16 AM   #1
shahmeer75
LQ Newbie
 
Registered: May 2010
Posts: 5

Rep: Reputation: 0
Editing Sudoers file, what are the options?


Hi,

I am confused about editing Sudoers file as what to write and what not to? Can you please help me?

I am trying to edit Sudoers for running few commands like copying, moving, listing, searching, creating, changing permissions on files and directories in the home directory for user e.g. a test user but i am not sure how to restrict the user action to a particular directory or restrict the commands all other commands except ls, cp, grep, wc, cat, touch, chmod, chown running at root level (e.g. rm -r command)? What would be the syntax?

Thank you in advance.

Shahmeer
 
Old 08-17-2012, 06:34 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 9,352

Rep: Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750Reputation: 2750
see here: http://www.garron.me/linux/visudo-co...lt-editor.html
do not edit that file directly, use visudo instead (http://linux.die.net/man/5/sudoers)
 
Old 08-17-2012, 06:54 AM   #3
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,133
Blog Entries: 2

Rep: Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836
Allowing a user to use cp, chmod or chown with sudo is basically the same as giving them your root password. The user is easily able to chmod or chown the sudoers-file or just copy over a already prepared sudoers file, giving himself or other users any permission he wants.

This is a serious security issue, don't even consider it.

If you want to restrict the user's actions to a limited set of directories sudo is not the appropriate tool, you should use the permission system, in particular different user-groups for that.
 
Old 08-17-2012, 07:30 AM   #4
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
I think there is a misunderstanding. I don't think that shahmeer75 wants the testuser to modify / chown / rm etc the sudoers file.

Not familiar enough with sudoers to be of further help

Last edited by Wim Sturkenboom; 08-17-2012 at 07:31 AM.
 
Old 08-17-2012, 07:49 AM   #5
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,133
Blog Entries: 2

Rep: Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836Reputation: 4836
Quote:
Originally Posted by Wim Sturkenboom View Post
I think there is a misunderstanding. I don't think that shahmeer75 wants the testuser to modify / chown /rm etc the sudoers file.
And that exactly is the problem. If the testuser has the right to start the commands mv, cp, chown, chmod (or many other programs) as root using sudo the testuser is able to modify those files (or use many other nasty hacks) to become effectively root. If you don't trust the user so that you have to give him limited rights with sudo then you shouldn't trust him not to modify those files.
Therefore a different approach should be taken. Since shahmeer75 asks
Quote:
how to restrict the user action to a particular directory or restrict the commands all other commands except ls, cp, grep, wc, cat, touch, chmod, chown running at root level
IMHO the correct approach would be to use file permissions or, if necessary, ACL (Access Control Lists).

@shahmeer75: Information about setting up sudo, file permissions and ACL
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Editing the sudoers file Nagglfar Linux - Newbie 4 03-09-2009 07:16 AM
need HELP with editing sudoers file jTm_316 Linux - Newbie 4 01-10-2009 02:45 AM
Editing Sudoers File... aapanju Linux - Newbie 7 03-06-2008 09:10 PM
Editing sudoers (shows as new file in nano) rushinblue Linux - Newbie 2 11-06-2007 01:17 PM
Help Editing Sudoers File Rubicone Linux - Newbie 2 05-03-2002 01:50 AM


All times are GMT -5. The time now is 11:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration