Restrict SUDO Access
 

Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Hi Folks,

Please help me. I am bit struck here.

Here is the OS info.
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

I have a user Alex( userif alex:admin) and trying to grant him sudo access to a userid (cbttest:sytgrp) i.e granting sudo to ID cbttest

I have added the following info to /etc/sudoers file.

alex ALL=(cbttest:sytgrp) ALL

It was working fine, alex was able to sudo to cbttest.

Now I want to restrict alex not to execute passwd change so tried the below options none worked.

alex ALL=(cbttest:sytgrp) ALL, !/usr/bin/passwd

Cmnd_Alias PASSWD=/usr/bin/passwd
alex ALL=(cbttest:sytgrp) ALL, !PASSWD

alex ALL=(cbttest:sytgrp) !/usr/bin/passwd

alex ALL=(cbttest:sytgrp) ALL, !/usr/bin/pass*

none of the above options worked. Please helpme in restricting the user to execute all like cbttest except passwd

Are you using visudo to make your changes to the sudoers file? You cannot open /etc/sudoers and edit it directly.

If you don't like the vi-ike editor provided by visudo, you can change it by setting one of two environment variables to the name of the editor you prefer. For example:
One of the main benefits of using visudo is that visudo will tell you if you have bad syntax in your sudoers file when you try to save and exit.

I think that might be the case here. I'll look at it a little more closely though.

As a followup, here's an excerpt for my Ubuntu machine's sudoers file and a sample shell session with results:

sudoers:
sample shell session:

Thanks Dark.. I am using visudo.

But I tried the way you gave... but it doesnot work. More over. I need the user to execute all the commands except password.

I dont know you got my point or not.

Nope, I understood. The above was just an example. Here is another:

sudorers:
sample shell session:
See also this thread.

If the above format does not work for you, then carefully review your sudoers file to verify that some other rule is not granting the user greater privileges (e.g. something like "%sudo ALL=(ALL) ALL"). If I remember correctly, later rules override earlier rules.

Here is the test case I have done.

My Sudoers File

# User privilege specification
root ALL=(ALL:ALL) ALL

alex ALL=(cbttest:sytgrp) ALL, !/bin/echo


[alex@ubuntu] "/home/alex/Desktop"
$ whoami
alex
[alex@ubuntu] "/home/alex/Desktop"
$ sudo -H -u cbttest -i
[sudo] password for alex: *******
[cbttest@ubuntu] "/home/cbttest"
$ whoami
cbttest
[cbttest@ubuntu] "/home/cbttest"
$ export DT=ABC
[cbttest@ubuntu] "/home/cbttest"
$ echo $DT
ABC
[cbttest@ubuntu] "/home/cbttest"
$ which echo
/bin/echo


There is no syntax error in the /etc/sudoers file.

That's because you are logging in as cbttest.

As shown by your command prompt on the next line:
Once you have logged in as cbttest, the sudo restrictions no longer apply--because the sudo restrictions are for user alex launching commands as cbttest. You are no longer "alex" after logging in as cbttest.

In addition, sudo will only check against commands invoked with sudo. The sudo program does not monitor all shell activity.

To get the behavior you want, you must execute the commands as user alex and of the form "sudo -u cbttest [command]".

Thanks dark I got the point now. But how can we restrict cbttest not to change the password.

i.e he or any one should not be able to use /usr/bin/passwd except root.

is there a way to restrict that

Take a look at this thread

Specifically Tinkster's response.

I have never actually tried his suggestion, nor do I know whether root would be able to bypass teh restriction directly. But, if root cannot bypass it, root could certainly remove the restriction, change the password, and re-enable the restriction.

There may be other interesting options in man passwd. I haven't looked at that page in a while.