LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-18-2013, 01:37 PM   #1
DavidDiepUSC
Member
 
Registered: Jan 2008
Posts: 58

Rep: Reputation: 0
SUDO / setfacl help!


Hi everyone,

I have RHEL 6.2 and I set up a userid with sudo. I added the userid to the %wheel group, which has all access to all commands:

%wheel ALL=(ALL) ALL

I have also restricted the group to have no write authority to /etc/sysconfig/*

setfacl -m g:wheel:r-x /etc/sysconfig

Under the restricted userid, I was able to cat any file under the /etc/sysconfig directory. I was also no able to edit any files in the same directory. However, when I invoked sudo, I was able to edit anything I want.

It seems as if setfacl only works when sudo rights have not been given.

At the end of the day, I want the userid to have sudo access, but I do not want it to have the ability to edit anything important, like the subdirectories and files under /etc/sysconfig... any suggestions??
 
Old 11-18-2013, 02:30 PM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387Reputation: 2387
Your setup won't work.

When you use sudo you become root user for the execution of that command. Try executing, as normal user who belongs to the wheel group whoami and then sudo /usr/bin/whoami

The ACL restrictions, as implemented, won't stop root.

I think your approach is incorrect: Instead of giving users sudo access to all and then exclude some stuff you should selectively give users access to certain root commands they specifically need.

Too many commands can be misused to gain real root access if you allow access to all. For example: When this is in place %wheel ALL=(ALL) ALL and no further restrictions are set then all I have to do is sudo vi and from vi :sh to get full root access.

Maybe these links will help:
- HowTO: Sudoers Configuration
- Linux Users and Sudo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 02:36 AM
setfacl problem priyankgupta1984 Linux - Desktop 3 11-16-2011 06:03 PM
setfacl erat123 Linux - Security 2 05-31-2007 12:16 AM
setfacl linuxjamil Linux - Security 1 04-05-2007 03:00 PM
Setfacl subaruwrx Fedora 3 09-07-2004 10:18 AM


All times are GMT -5. The time now is 03:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration