LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-05-2015, 07:08 PM   #1
niresh2012
LQ Newbie
 
Registered: Aug 2015
Posts: 4

Rep: Reputation: Disabled
Sudoers not working without absolute apth


Hi all,

Cmnd_Alias AVAMAR_APPS=/bin/vi /usr/local/avamar/*

user ALL = (ROOT) NOPASSWD: AVAMAR_APPS


For the above sudo access to view all the files within /usr/local/avamar/ and its subdirectories are not working properly.
its working only when i give with full pathname from the home directory.

for every time i have to give the full pathname from home directory to view files,as below

user@server1 ~]$ sudo vi /usr/local/avamar/bin

please suggest how to view the files via vi within all the sub directories under /usr/local/avamar itself using sudo.
 
Old 08-05-2015, 08:30 PM   #2
mralk3
Member
 
Registered: May 2015
Posts: 760

Rep: Reputation: 232Reputation: 232Reputation: 232
As far as I know, you have to specify the full path to each executable/action you wish your sudoers user/group to use.

It would be a large security risk to allow every executable in a directory, for example, all of /bin. Especially if you set sudoers to require no password.
 
Old 08-06-2015, 11:46 AM   #3
niresh2012
LQ Newbie
 
Registered: Aug 2015
Posts: 4

Original Poster
Rep: Reputation: Disabled
Hi mralk3,

Thanks for your reply, I do understand the security concern, but our user presisting to find a way to run sudo from the subdirectories,
Is there any way to accomplish that without compromising security.
 
Old 08-06-2015, 12:09 PM   #4
mralk3
Member
 
Registered: May 2015
Posts: 760

Rep: Reputation: 232Reputation: 232Reputation: 232
Quote:
Originally Posted by niresh2012 View Post
Hi mralk3,

Thanks for your reply, I do understand the security concern, but our user presisting to find a way to run sudo from the subdirectories,
Is there any way to accomplish that without compromising security.
Well, if somehow a piece of malware was copied/installed on your system in the sub directory you pick, anyone on the system could run it without a password. You are essentially removing user/group permissions from your system for every file/binary installed to that directory.

I don't see why you cannot just enter the full path for each application you wish to run into the sudoers file. That is how sudo was intended to be used. If it's a production environment, I personally wouldn't be allowing every user on the system passwordless access to any file/binary in a directory. It is essentially giving root access to every user on the system to all files in that directory.

To hack your system all an attacker would need to do is replace/add malware to that directory and run....

Code:
~# sudo /path/to/sudo/dir/uber-malware
...your system is now compromised with a backdoor, rootkit, take-your-pick malware.

EDIT
The only thing preventing such a compromise would be if the directory had the right file permissions to prevent unprivileged users from writing files to that directory. Still though, nothing is preventing unprivileged users from causing damage to the system with the already installed binaries because they have full access to the system.

Last edited by mralk3; 08-06-2015 at 12:13 PM.
 
Old 08-06-2015, 12:16 PM   #5
cynwulf
Senior Member
 
Registered: Apr 2005
Location: The Black Country, UK
Posts: 1,742
Blog Entries: 1

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by niresh2012 View Post
Hi mralk3,

Thanks for your reply, I do understand the security concern
No clearly you do not.

Quote:
Originally Posted by niresh2012 View Post
but our user presisting to find a way to run sudo from the subdirectories,
Is there any way to accomplish that without compromising security.
No.
 
Old 08-06-2015, 12:20 PM   #6
mralk3
Member
 
Registered: May 2015
Posts: 760

Rep: Reputation: 232Reputation: 232Reputation: 232
Quote:
Originally Posted by cynwulf View Post
No clearly you do not.


No.
So harsh, haha. I had a similar response in mind but decided it would be more constructive for everyone to explain the security implications. I try my best not to flame people for threads like this...



 
Old 08-06-2015, 01:11 PM   #7
niresh2012
LQ Newbie
 
Registered: Aug 2015
Posts: 4

Original Poster
Rep: Reputation: Disabled
@mralk3

dont get me in the wrong way, I didn't mean to be harsh to you. user is requesting why he need run with whole pathname, when he is already into the particular subdirectory. I even tried for sudo access for every subdirectory inside /usr/local/avamar, but still its working only with the full pathname. Is there any way to overcome this by sudo itself instead of changing permissions for the directories?
 
Old 08-06-2015, 01:15 PM   #8
mralk3
Member
 
Registered: May 2015
Posts: 760

Rep: Reputation: 232Reputation: 232Reputation: 232
You misunderstand. No reason to change the permissions for the directory. With sudo there is no way to add a full directory to the sudoers file.

You have to add the full path to each binary you wish your sudoers users to run without a password.

It is also not a good idea to do this on a production machine.
 
Old 08-06-2015, 05:18 PM   #9
niresh2012
LQ Newbie
 
Registered: Aug 2015
Posts: 4

Original Poster
Rep: Reputation: Disabled
Is there anyway can i achieve it by using alias
 
Old 08-06-2015, 07:24 PM   #10
mralk3
Member
 
Registered: May 2015
Posts: 760

Rep: Reputation: 232Reputation: 232Reputation: 232
Quote:
Originally Posted by niresh2012 View Post
Is there anyway can i achieve it by using alias
If what you mean are aliases using sudo, then yes. You can create a list of commands (using the full paths) and link it to an alias. Then refer to this alias for each user or user group that can run those commands.

You will not however be able to avoid adding the full paths of each command in the alias.

All of this is clearly stated in the sudo documentation. Here is a link that explains quite a bit about how sudo works:

https://help.ubuntu.com/community/Sudoers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SUDOers not working in centos directory server kamran.ayub Linux - Server 2 07-13-2012 08:58 AM
Packages required for an absolute minimum working Linux system? tubb Linux - Newbie 12 01-25-2012 02:26 PM
Ubuntu 7.10 sudoers not working depam Ubuntu 12 01-12-2008 03:58 PM
LXer: Absolute Linux is an absolute winner LXer Syndicated Linux News 0 08-07-2007 07:32 PM
sudo not working, sudoers edited DIGITAL39 Linux - Newbie 2 12-18-2006 07:59 AM


All times are GMT -5. The time now is 12:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration