LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-10-2009, 01:55 PM   #1
jahnieboi
LQ Newbie
 
Registered: Jul 2009
Location: San Jose
Posts: 6

Rep: Reputation: 0
How to grant sudo without allowing users to su to root


Does anyone know how I can grant users access to all root privileges, except allowing them to su?

I want to be to monitor and track who changes what.

Thanks,

Jahnieboi
 
Old 07-10-2009, 03:19 PM   #2
abi0909
Member
 
Registered: Jul 2009
Distribution: Ubuntu, RedHat, VMWare, CentOS, Windows, Android, Mac
Posts: 55

Rep: Reputation: 18
Configure SUDO, that is meant to give all privilege for a user as root user and still not allowing him the root access direct.

About monitoring who changed what, I do not think there is any way of doing it as far as I know.

But I would give you one idea - Change the root password so that your prospective root user would not know it. Also add his user id to have a SUDO access. And if you need to know if any file changed, you can see when was the last time the file was modified and also when was the last time the user logged into the system. And if you matches, it would mean he was might have modified it.

Just an idea.
 
Old 07-10-2009, 03:54 PM   #3
Disillusionist
Senior Member
 
Registered: Aug 2004
Location: England
Distribution: Ubuntu
Posts: 1,038

Rep: Reputation: 97
Do not allow sudo access to vi or emacs!

These (and many other applications) allow you to drop down to a shell prompt, thus gaining full root privileges.

The basic rule is to give only as much access as they need.
 
Old 07-10-2009, 04:54 PM   #4
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
What privileges do you exactly want them to have? If you want to give them sudo ALL, well, they're going to have root on your machine. If you just want them to be able to run certain commands with privileges, your sudoers file should have many examples of how to do that.


Quote:
Originally Posted by abi0909 View Post
Configure SUDO, that is meant to give all privilege for a user as root user and still not allowing him the root access direct.

Try running `sudo su -`. No root password required.
 
Old 07-10-2009, 06:52 PM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Take a look at the sudoers man page:
Code:
	jill	       SERVERS = /usr/bin/, !SU, !SHELLS

       For any machine in the SERVERS Host_Alias, jill may run any commands in
       the directory /usr/bin/ except for those commands belonging to the SU
       and SHELLS Cmnd_Aliases.
Vim has a restricted version (rvim) which doesn't allow escaping to the shell or executing commands.

However, this is just an advisory restriction. A sudo user could simply copy a file (such as /bin/bash) to one with a different name. The solution may be a political one rather than technical. Allowing nearly any command and plugging holes in programs like vim, and controlling the environment will not be bullet proof.

Be careful who you allow to use sudo.
It may be too difficult to restrict su'ing to root. It would be easier to allow a group to execute a set group of commands.

If what you want to do is allow regular users to perform some tasks such as mounting a drive, look at PolicyKit. You can make a distinction such as whether the user is on a local terminal, or logged in remotely.
 
Old 07-10-2009, 07:18 PM   #6
abi0909
Member
 
Registered: Jul 2009
Distribution: Ubuntu, RedHat, VMWare, CentOS, Windows, Android, Mac
Posts: 55

Rep: Reputation: 18
Quote:
Originally Posted by karamarisan View Post
Try running `sudo su -`. No root password required.
oops .. my bad
 
Old 07-10-2009, 08:16 PM   #7
jefro
Moderator
 
Registered: Mar 2008
Posts: 15,697

Rep: Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265Reputation: 2265
You are doing it wrong. Users never need admin rights.

In fact admin's don't need it except to perform admin tasks.

That is why there are admins and plain old users.
 
Old 07-13-2009, 11:13 AM   #8
jahnieboi
LQ Newbie
 
Registered: Jul 2009
Location: San Jose
Posts: 6

Original Poster
Rep: Reputation: 0
Thank you all for responding. After careful research, I have found that you can specify entries in the sudoers files to exclude commands.

I have made these entries, forcing everyone to type in there passwords to execute admin commands. I have also denied them the ability to remove their own .sh_history file, so that the "root" account can view them for history.

Example: ALL=ALL, !/bin/su root, !/bin/rm .sh_history and etc... I had added a lot more stuff, but you get what I am doing.

I have then taken away the read privileges on the sudoers file, so that only "root" can see it.

This may be the long way, but this is the only way I know how to do the job and I understand that it will only be as secure and effective on how I configure it, so I am trying to think of all possibilities and holes in this method.

Thanks for spending the time to reply to my post. I really appreciate all of your efforts!
 
Old 07-13-2009, 01:03 PM   #9
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
I see what you're trying to do, but the way you're trying to do it is a losing battle. Things I would do on your system:

1. I don't know if bash lets you configure where your history is saved, but if users can chsh, other shells store it elsewhere. I know for a fact that my shell, zsh, will let you store your history anywhere you can write, include /dev/null.
2. If I can sudo any editior, taking away read privileges on sudoers for non-root users will present only a moment's interruption when the unprivileged attempt fails.
3. If I can sudo any editor (or even sed or Perl), I'd add a line to the bottom of root's .bashrc that would run a script in my homedir (say, hidden as my .bashrc) that could do anything, no matter what you blacklisted, because it would be run by root proper the next time you su -'d. Making said script remove said line from said file afterwards would be trivially easy.

In short, you don't want blacklisting because you CANNOT anticipate even most possible attacks. You want whitelisting. What do your users actually need privileges for? Anything?

Look up the principle of least privilege for a highly relevant read.


Edit: It doesn't matter.
Code:
The Book of chmod, Chapter 3:33
The users went to r--t, and they asked him, 'Can we not remove read
permissions from our files so that we can have secrets from You?'
And r--t spake: "Yeah, not so much. I can pretty much do whatever 
I want around here."

Last edited by karamarisan; 07-13-2009 at 01:11 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
allowing non-root users to renew ip address? raz3k Linux - Networking 1 06-20-2007 08:05 AM
Grant Configuring SUDO Root Privileges to Regular Users +Problem+ redir Fedora 2 02-26-2007 12:10 PM
Grant a user root privileges to add and delete users Maranza Linux - Security 6 11-02-2006 11:10 AM
How to grant root previlege to other users? wtb1974 Linux - Newbie 4 03-19-2006 01:20 AM
Allowing other users than root to mount drives DarkPhoenix Linux - Newbie 6 06-25-2004 07:28 AM


All times are GMT -5. The time now is 01:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration