LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-24-2012, 11:38 PM   #1
maddyfreaks
Member
 
Registered: May 2011
Posts: 70

Rep: Reputation: 0
Restrict SUDO Access


Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Hi Folks,

Please help me. I am bit struck here.

Here is the OS info.
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

I have a user Alex( userif alex:admin) and trying to grant him sudo access to a userid (cbttest:sytgrp) i.e granting sudo to ID cbttest

I have added the following info to /etc/sudoers file.

alex ALL=(cbttest:sytgrp) ALL

It was working fine, alex was able to sudo to cbttest.

Now I want to restrict alex not to execute passwd change so tried the below options none worked.

alex ALL=(cbttest:sytgrp) ALL, !/usr/bin/passwd

Cmnd_Alias PASSWD=/usr/bin/passwd
alex ALL=(cbttest:sytgrp) ALL, !PASSWD

alex ALL=(cbttest:sytgrp) !/usr/bin/passwd

alex ALL=(cbttest:sytgrp) ALL, !/usr/bin/pass*

none of the above options worked. Please helpme in restricting the user to execute all like cbttest except passwd
 
Old 02-24-2012, 11:47 PM   #2
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Are you using visudo to make your changes to the sudoers file? You cannot open /etc/sudoers and edit it directly.

If you don't like the vi-ike editor provided by visudo, you can change it by setting one of two environment variables to the name of the editor you prefer. For example:
Code:
export VISUAL=emacs
One of the main benefits of using visudo is that visudo will tell you if you have bad syntax in your sudoers file when you try to save and exit.

I think that might be the case here. I'll look at it a little more closely though.
 
Old 02-25-2012, 12:24 AM   #3
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
As a followup, here's an excerpt for my Ubuntu machine's sudoers file and a sample shell session with results:

sudoers:
Code:
darkhelmet ALL=(gkrellmd) /usr/bin/whoami, ! /bin/echo
sample shell session:
Code:
darkhelmet@localhost$ sudo -u gkrellmd /usr/bin/whoami
[sudo] password for darkhelmet:
gkrellmd
darkhelmet@localhost$ sudo -u gkrellmd /bin/echo "Hi"
Sorry, user darkhelmet is not allowed to execute '/bin/echo Hi' as gkrellmd on localhost.
 
Old 02-25-2012, 09:27 AM   #4
maddyfreaks
Member
 
Registered: May 2011
Posts: 70

Original Poster
Rep: Reputation: 0
Thanks Dark.. I am using visudo.

But I tried the way you gave... but it doesnot work. More over. I need the user to execute all the commands except password.

I dont know you got my point or not.
 
Old 02-25-2012, 11:51 AM   #5
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Nope, I understood. The above was just an example. Here is another:

sudorers:
Code:
darkhelmet ALL=(gkrellmd) ALL, ! /bin/echo
sample shell session:
Code:
darkhelmet@localhost$ sudo -u gkrellmd whoami
[sudo] password for darkhelmet:
gkrellmd
darkhelmet@localhost$ sudo -u touch /tmp/testfile
darkhelmet@localhost$ ls -l /tmp/testfile
-rw-r--r-- 1 gkrellmd nogroup 0 2012-02-25 10:47 /tmp/testfile
darkhelmet@localhost$ rm /tmp/testfile
rm: remove write-protected regular empty file `/tmp/testfile'? y
rm: cannot remove `/tmp/testfile': Operation not permitted
darkhelmet@localhost$ sudo -u gkrellmd rm /tmp/testfile
darkhelmet@localhost$ ls -l /tmp/testfile
ls: cannot access /tmp/testfile: No such file or directory
darkhelmet@localhost$ sudo -u gkrellmd /bin/echo "Hi"
Sorry, user darkhelmet is not allowed to execute '/bin/echo Hi' as gkrellmd on localhost.
See also this thread.

If the above format does not work for you, then carefully review your sudoers file to verify that some other rule is not granting the user greater privileges (e.g. something like "%sudo ALL=(ALL) ALL"). If I remember correctly, later rules override earlier rules.

Last edited by Dark_Helmet; 02-25-2012 at 11:54 AM.
 
Old 02-25-2012, 02:04 PM   #6
maddyfreaks
Member
 
Registered: May 2011
Posts: 70

Original Poster
Rep: Reputation: 0
Here is the test case I have done.

My Sudoers File

# User privilege specification
root ALL=(ALL:ALL) ALL

alex ALL=(cbttest:sytgrp) ALL, !/bin/echo


[alex@ubuntu] "/home/alex/Desktop"
$ whoami
alex
[alex@ubuntu] "/home/alex/Desktop"
$ sudo -H -u cbttest -i
[sudo] password for alex: *******
[cbttest@ubuntu] "/home/cbttest"
$ whoami
cbttest
[cbttest@ubuntu] "/home/cbttest"
$ export DT=ABC
[cbttest@ubuntu] "/home/cbttest"
$ echo $DT
ABC
[cbttest@ubuntu] "/home/cbttest"
$ which echo
/bin/echo


There is no syntax error in the /etc/sudoers file.
 
Old 02-25-2012, 02:17 PM   #7
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
That's because you are logging in as cbttest.

Code:
sudo -H -u cbttest -i
As shown by your command prompt on the next line:
Code:
[cbttest@ubuntu] "/home/cbttest"
$ whoami
cbttest
Once you have logged in as cbttest, the sudo restrictions no longer apply--because the sudo restrictions are for user alex launching commands as cbttest. You are no longer "alex" after logging in as cbttest.

In addition, sudo will only check against commands invoked with sudo. The sudo program does not monitor all shell activity.

To get the behavior you want, you must execute the commands as user alex and of the form "sudo -u cbttest [command]".
 
Old 02-25-2012, 02:23 PM   #8
maddyfreaks
Member
 
Registered: May 2011
Posts: 70

Original Poster
Rep: Reputation: 0
Thanks dark I got the point now. But how can we restrict cbttest not to change the password.

i.e he or any one should not be able to use /usr/bin/passwd except root.

is there a way to restrict that
 
Old 02-25-2012, 02:32 PM   #9
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Take a look at this thread

Specifically Tinkster's response.

I have never actually tried his suggestion, nor do I know whether root would be able to bypass teh restriction directly. But, if root cannot bypass it, root could certainly remove the restriction, change the password, and re-enable the restriction.

There may be other interesting options in man passwd. I haven't looked at that page in a while.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can sudo restrict certain commands? Thaidog Linux - Security 3 01-30-2009 12:24 PM
Using sudo to restrict user to locate fixed directory sgm277 Linux - Newbie 2 01-02-2009 07:22 AM
restrict root shell using sudo ElectroLinux Linux - Security 2 03-30-2007 06:07 PM
Restrict X server access using /etc/security/access.conf anand_kt Linux - General 0 04-22-2005 09:40 AM
Restrict access by IP waifurchin Linux - Security 3 02-02-2003 08:54 AM


All times are GMT -5. The time now is 01:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration