LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-14-2014, 04:15 PM   #1
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Rep: Reputation: 5
Sudo question


1. My debian sudo file has a format like: 'user ALL=(ALL:ALL) ALL'. I can't find any explanation as to what the ALL:ALL means. Can anyone explain this or know where this might be explained?

2. I have a user who has been given full sudo privileges. I would like to prevent him from executing one single program on the system. I know how to include things that he could execute, but that would require quite a list of programs. I played with the 'user ALL=(root)NOEXEC: /user/path/to/the/program' parameter, but it didn't stop the user from sudoing the program. Anyone know how I might prevent him from executing this one program?

Thanks.
 
Old 05-14-2014, 04:59 PM   #2
Enindu
Member
 
Registered: Apr 2014
Location: Colombo, Sri Lanka.
Distribution: Arch Linux
Posts: 69

Rep: Reputation: 13
Refer these wiki pages.

https://wiki.debian.org/sudo
https://wiki.archlinux.org/index.php/sudo
 
Old 05-14-2014, 05:01 PM   #3
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
Thanks.
 
Old 05-14-2014, 05:15 PM   #4
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
ALL=
Any location

(ALL:ALL)

Means they can execute as any user, or group

(foo:foo)
They can only execute as user/group foo

foobar=(ALL:ALL)
as any user, but only from 'location' ( like via ssh ) foobar


Best to read sudo documentation, especially if you are admin


Start with
Code:
man sudo
The some. Web searches

Don't want to be a rtm guy, but on tablet at the moment
If you ate still stuck I'm sure someone else can help before I can


But will add,

Use visudo to edit rules

And last rule wins!
So
Code:
User ALL=(ALL:ALL)
User foobar=(ALL:ALL)EXEC:!/bin/foobarNO.sh
User can do anything, unless from foobar when they can do all BUT /bin/foobarNO.sh
Hope that makes sense

Last edited by Firerat; 05-14-2014 at 05:16 PM. Reason: Tablo, U not
 
1 members found this post helpful.
Old 05-14-2014, 05:21 PM   #5
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
That was my problem. I let out the ! before /bin/foobarNO.sh. Thanks, that answered it. I tried to make sense of the man sudo, but couldn't understand it.
 
Old 05-14-2014, 05:40 PM   #6
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
Quote:
Originally Posted by battles View Post
That was my problem. I let out the ! before /bin/foobarNO.sh. Thanks, that answered it. I tried to make sense of the man sudo, but couldn't understand it.
Carefull!

You had NOEXEC
I had EXEC
The ! Just inverts it

Really you need to read the docs,
I've just done a very bad job paraphrasing them from memory

Good idea to setup a vm (vitualbox is quick and easy for such things ) to test it

And you need to test many things
Somewhere in docs is things like not getting a root shell with things like vi,vim, less etc

sudo is great, but it is (when incorrectly configured) a security nightmare
Read as much as you can...
 
Old 05-14-2014, 05:51 PM   #7
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
I have a VM with debian weasy (or whatever it is called), but I haven't messed with it. Better than to mess up my server, of course.
Here is an example of what I wanted to do that works that to your example (I didn't even notice you used EXEC):

sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free

This allows sam root privileges, but prevents him from using the 'free' program with sudo.

Last edited by battles; 05-14-2014 at 05:53 PM.
 
Old 05-14-2014, 06:01 PM   #8
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
Are you certain that does what you need?

When testing open a new shell ( if gui just start new term, screen do ctrl+a then c )

and it's wheezy, as in "toy story" character
All the debian codenames are toy story chars.
Sid being the unstable one

Last edited by Firerat; 05-14-2014 at 06:03 PM.
 
Old 05-14-2014, 06:12 PM   #9
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
Infact!
Code:
sam ALL=(ALL:ALL) /usr/bin/free
They can only execute that as anyone

Code:
sam ALL=(ALL:ALL) ALL, NOEXEC:/user/bin/vim
Means they can execute vim as anyone , but can't get a shell

Read docs, don't even trust me, I missed that !
 
Old 05-14-2014, 06:18 PM   #10
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
Proof(I think?)

sudo file
sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free



sam@host:~$ free
total used free shared buffers cached
Mem: 514436 438140 76296 0 146480 224076
-/+ buffers/cache: 67584 446852
Swap: 0 0 0

sam@host:~$ sudo free
[sudo] password for sam:
Sorry, user sam is not allowed to execute '/usr/bin/free' as root on localhost.


sam@host:~$ sudo ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 May04 ? 00:00:15 init [2]
root 2 0 0 May04 ? 00:00:00 [kthreadd]
root 3 2 0 May04 ? 00:00:08 [ksoftirqd/0]
...
 
Old 05-14-2014, 06:27 PM   #11
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
Nah,

try doing something else, other than free

Test "everything"

Edit:
Sorry I'm confused now


You want the to be able to do everything but.,
Or, only a selected few?

Last edited by Firerat; 05-14-2014 at 06:30 PM.
 
Old 05-14-2014, 06:44 PM   #12
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
Everything but. Another example:

sudo file
sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free,!/usr/bin/updatedb


sam@host:~$ updatedb
updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db'
sam@host:~$ sudo updatedb
[sudo] password for john:
Sorry, user sam is not allowed to execute '/usr/bin/updatedb' as root on localhost.
sam@host:~$

Before changing the sudo file to exclude updatedb, sam was able to do a sudo updatedb.
 
Old 05-14-2014, 07:15 PM   #13
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian Jessie / sid
Posts: 1,471

Rep: Reputation: 444Reputation: 444Reputation: 444Reputation: 444Reputation: 444
Ok
Actually makes sense now I think about it

NOEXEC
Means can run 'as' but not get subshell ( good )
The ! Means, can't do this "one"

still a good idea to read the docs.

sudo is convenient, but you must be careful with what you give.

As you can see, my memory is 'suspect' with it, I usually review docs
but not an everyday thing for me ..
If in doubt, man + web search ( give low weighting to blogs, Good and bad out there )
.

Last edited by Firerat; 05-14-2014 at 07:17 PM. Reason: Tablos (typos via tablet )
 
Old 05-14-2014, 09:36 PM   #14
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,130
Blog Entries: 2

Rep: Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825Reputation: 4825
Please be careful with this. Even with not being allowed to start free using sudo in the above example, I still can start Vim using sudo, run Vim's :shell command and have full root access to that machine.
 
Old 05-15-2014, 10:27 AM   #15
battles
Member
 
Registered: Apr 2014
Distribution: Debian GNU/Linux 7.5 (wheezy)
Posts: 231

Original Poster
Rep: Reputation: 5
Quote:
Originally Posted by TobiSGD View Post
Please be careful with this. Even with not being allowed to start free using sudo in the above example, I still can start Vim using sudo, run Vim's :shell command and have full root access to that machine.
You devil, you!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 04:48 PM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 02:36 AM
LXer: sudo, or not sudo: that is the question LXer Syndicated Linux News 0 02-07-2008 06:40 PM
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 04:20 PM
sudo question darthtux Linux - General 1 06-07-2002 03:27 AM


All times are GMT -5. The time now is 02:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration