How can I disable "sudo -s -H"?

jeewiz · 07-25-2008, 08:17 AM

I'm running RHEL4, and I'm trying to lock admins out from full access of the root account. I have changed root's entry in /etc/passwd to:

Code:

root:x:0:0:root:/root:/sbin/nologin

This disabled "sudo su -", but not "sudo -s -H". I found a small article from Red Hat http://www.redhat.com/docs/manuals/l...PRIVILEGES-PAM but I can't figure out how to utilize this as I need to. Any ideas?

anomie · 07-25-2008, 01:43 PM

Quote:

Originally Posted by jeewiz

I'm running RHEL4, and I'm trying to lock admins out from full access of the root account.

You don't have enough thumbs to plug all the holes in that dam.

Even if you prevent sudoers from gaining root's powers in the fashion you describe, there are many, many other ways they can get there. Trivial examples:

sudo bash
sudo vi (and then run shell commands from within vi)
sudo less (and then run shell commands from within less)
sudo vi /etc/rc.sysinit (it's a free-for-all upon next reboot...)

The lesson here is you're going to need to be more restrictive with your sudoers. Carefully select the commands they can run based on the jobs they need to perform. (This follows a policy of selectively allowing certain access, and denying all the rest by default.)

chort · 07-25-2008, 02:01 PM

Quote:

Originally Posted by anomie

The lesson here is you're going to need to be more restrictive with your sudoers. Carefully select the commands they can run based on the jobs they need to perform. (This follows a policy of selectively allowing certain access, and denying all the rest by default.)

I'm just going to reiterate that because it's an extremely important point.

If there are certain tasks admins need to perform as a superuser, create macros for them in sudoers and add those macros to the user or group who should be able to execute them.

unSpawn · 07-25-2008, 02:38 PM

Quote:

Originally Posted by chort

create macros for them in sudoers and add those macros to the user or group who should be able to execute them.

I agree more restrictive Sudo is the way but I don't see no macro caps mentioned in the docs? Something new or did you mean something else?

chort · 07-25-2008, 05:00 PM

Like this:

Code:

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
...
%wheel ALL = SERVICES

OK, so they're technically called "aliases", not "macros". My bad on the terminology!

unSpawn · 07-26-2008, 05:59 AM

NP, I thought I was missing some new feature again...