LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-19-2008, 04:27 PM   #1
Corrado
Member
 
Registered: Aug 2004
Location: Washington
Distribution: RHEL 5.0
Posts: 135

Rep: Reputation: 16
Giving privilege to user


I have to give certain users super user privilege but at the same time deny them "su" once they do have that privilege.

I thought about using sudoers but it doesn't recommend giving someone all sudo access and then a list of commands that are not allowed.

How can I meet the above requirements?

Chris
 
Old 08-19-2008, 04:32 PM   #2
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
This seems self-defeating. If you give access via sudo to everything but su, you've given access to everything. Sudo gives the same permissions as su would give.

If you are trying to give limited permission, then only give sudo access to exact commands you need others to perform. Clarify your needs more to get additional help.
 
Old 08-19-2008, 07:41 PM   #3
Corrado
Member
 
Registered: Aug 2004
Location: Washington
Distribution: RHEL 5.0
Posts: 135

Original Poster
Rep: Reputation: 16
Due to the nature of the work, the specific commands vary from user to user and are too numerous to customize sudoers for each individual.

I am allowed to give them full to super user with the only restiction of not being able to switch (su) into a specific account.

I know the name of the account they are forbidden to enter into. Does that help? For example:

su joe

Would want to be denied. LDAP is being used.
 
Old 08-19-2008, 07:57 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well if you're giving full access to run anything via sudo, there are a million ways someone could turn that into su access as well. Simply put, it's impossible to do what you're trying to do by manually listing the commands they aren't allowed to run. You might be able to prevent a few incompetent users from figuring out they can run commands as another user, but anyone who's half-way clever will be able to overcome your restrictions unless you do a default deny/explicit permit.
 
Old 08-19-2008, 08:41 PM   #5
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
Quote:
Originally Posted by Corrado View Post
I am allowed to give them full to super user with the only restiction of not being able to switch (su) into a specific account.
Adding to what chort has already stated, the above comment shows a deep misunderstanding about sudo and su. They BOTH switch users. Do you know about sudo -s? Guess what? Root shell. Now how do you prevent any other command from being run?

Essentially:

sudo -s -u joe
== su joe
sudo -s == su

Last edited by Mr. C.; 08-19-2008 at 08:43 PM.
 
Old 08-20-2008, 06:19 PM   #6
Corrado
Member
 
Registered: Aug 2004
Location: Washington
Distribution: RHEL 5.0
Posts: 135

Original Poster
Rep: Reputation: 16
From the discussion above it looks as though sudo is not the way to go.

I'm not sure what can be done with ldap but I think I can have a specific account only be allowed to authenticate from a certain host.

Anyone know anything about getting ldap to do this?

Last edited by Corrado; 08-21-2008 at 01:27 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Super user privilege pvpnguyen Linux - Security 4 02-01-2008 11:35 AM
Maximum User Privilege Crito General 4 08-09-2006 10:11 AM
User privilege to partition atlaika Ubuntu 3 04-03-2006 02:44 PM
Ulimit privilege for a user linuxfans Linux - General 3 04-16-2003 01:03 PM
User privilege on NFS directory Rex_chaos Linux - Networking 2 03-22-2002 11:54 AM


All times are GMT -5. The time now is 06:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration