deny sudo -s/ sudo -i command in linux with /etc/sudoers
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The way to deny it would be to whitelist only the allowed commands. You've got that for some of the aliases, but not all. Remove any attempt at blacklisting. Trying to blacklist can't / won't / doesn't work. Hint: think about hardlinks made from ln or copies made from cp
The best background material for how to use sudo is found in M W Lucas' book sudo Mastery. His presentation "sudo: You're Doing it Wrong" can be found on Youtube and his slides for that are online too. But the book is quite handy and very concise.
Last edited by Turbocapitalist; 02-14-2017 at 12:11 AM.
Reason: copy
yes, do not try to blacklist, there can be always another solution to reach their goal. Better to allow only what is really required, and be strict about that.
ok, we are going to deploy a root management system with sudo .
phase one:we want to recycle all root promotion right. but we still allow user to use sudo to excute command except sudo -s or sudo -i.
phase two:we will restrict user to excute limited commands, which is backlist rule .
do you have any solution to avoid use to excute or promote to root account in phase one ?
do you have any solution to avoid use to execute or promote to root account in phase one ?
You still did not understand, it is just meaningless/pointless. If they have any (other) possibility to be root, you are lost. And they definitely have. countless.
phase two: we will restrict user to execute limited commands, which is backlist whitelist rule .
Blacklisting cannot, will not, does not work. Perhaps the ultimate example is that a user can always copy a shell to a new file name and then execute that new file as root.
Please see the book mentioned or at least the presentation, some fundamental misunderstandings about sudo need to be cleared up before you can progress.
You still did not understand, it is just meaningless/pointless. If they have any (other) possibility to be root, you are lost. And they definitely have. countless.
of course , 100 percent to avoid user to promote to root from technique is impossible, but we can define action policy to tell people do not try to promote to root right with a unconventional way.
with this policy , we at less need to deny user to excute sudo -s or sudo -i to promote to root from technique, because of this two command look like so normal.
when i mean technique , the solution doesn't limit on /etc/sudoers, it can be others .
The blacklisting here is pointless, what stops the user doing "sudo /bin/sh"? What stops the user doing "sudo /bin/bash", what stops the user doing "sudo ln -s \bin\bash rootme; sudo rootme" and I could come up with potentially hundreds more ways of getting the same results. Such as 'sudo su -', 'sudo vi /etc/sudoers', 'sudo visudo', etc.
As others have said above, it is preferential to whitelist over blacklist.
Quote:
Originally Posted by gbcbooks
of course , 100 percent to avoid user to promote to root from technique is impossible.
Well the whole point of sudo is to switch to root, so it'd be pointless to use sudo if you didn't become root. Thus the 100% way to avoid it is to grant no sudo access at all.
Last edited by r3sistance; 02-14-2017 at 07:20 AM.
Well the whole point of sudo is to switch to root,...
It supports switching to any user, not necessarily only root, though maybe root is most common. You can, for example, use sudo to launch a game server as another unprivileged user. That allows reduced access by the game server, especially if it is a multi-player server.
It supports switching to any user, not necessarily only root, though maybe root is most common. You can, for example, use sudo to launch a game server as another unprivileged user. That allows reduced access by the game server, especially if it is a multi-player server.
I meant the purpose of it, that being superuser do. Of course it can run things as different users too, I didn't mean to imply it couldn't.
The blacklisting here is pointless, what stops the user doing "sudo /bin/sh"? What stops the user doing "sudo /bin/bash", what stops the user doing "sudo ln -s \bin\bash rootme; sudo rootme" and I could come up with potentially hundreds more ways of getting the same results. Such as 'sudo su -', 'sudo vi /etc/sudoers', 'sudo visudo', etc.
As others have said above, it is preferential to whitelist over blacklist.
Well the whole point of sudo is to switch to root, so it'd be pointless to use sudo if you didn't become root. Thus the 100% way to avoid it is to grant no sudo access at all.
i know backlisting way to deny user to promote root is pointless, and though phase one is not the end, it is just a transitional period for us,all we want to do in phase one is to make it a little difficult to promote as root. we would like to force user to form some habit which is do not use root to do what it doesn't really neccessary , phase two is our finial target , i hope that you can understand my intention , the example you gave out, they are all violate our excuteion policy and we do have syslog system to account user operations.
so they violate the execution policy right now. And what do you think, will they do that with another set of sudo rules? Certainly yes, if they will find a way. Will another (an even better) policy protect your system? By the way is there any real sanction against them?
so they violate the execution policy right now. And what do you think, will they do that with another set of sudo rules? Certainly yes, if they will find a way. Will another (an even better) policy protect your system? By the way is there any real sanction against them?
you still dont understand , in phase one , i m giving users a sign that we want to restrict root right, it is going to inffluence their operation if they dont change their habit when we change the sudo policy from backlisting to whitelist in phase two. users should care about what is the next.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.