sudo exceptions

mikejreading · 11-05-2010, 07:07 AM

Hi all,

I have set up the sodoers file to allow everyone in "group1" full sudo permissions without needing to enter their password.

Is there any way to allow users to perform everything except the shutdown command?

MensaWater · 11-05-2010, 08:30 AM

It would be a waste of time to try.

You could try using the negation (!) in front of shutdown command but then they might use reboot, halt, init or other utilities to get around that. You could locate every single utility that has the effect of stopping the system and then they'd simply do something like "sudo vi" and type ":!/bin/bash" to get a shell prompt that would then allow them to bypass any sudo restriction because that shell prompt would be a root shell prompt.

You really should NOT give global access to all commands to anyone other than system administrators and those should be allowed to shutdown the server. You should spend time finding out exactly what this "group" needs and grant only those commands. Trying to grant all then exclude a few simply won't work. You also need to investigate any command you plan to give to the group to be sure it doesn't pose security issues that make putting it in sudo the same thing as giving them full root access (e.g. vi many other programs allow for shell prompts, chmod would allow them to create a file with setuid, etc...).

Simon Bridge · 11-05-2010, 08:37 AM

You should rethink that policy. Always require password. Whitelist commands rather than blacklist them. I know it is very tempting - but it means you have to guess every possible way to do the thing you don't want to happen.

If your whitelist is too restrictive, your admins will complain to start with and you can think about it and keep adding commands you think are OK to the list until they stop complaining.
What you want to define needs the logical not (!) in front of the command is sudoers.

Note: you don't need to create a special group for sudo access, the one called "wheel" already does this.

So you'll have a line like:

wheel ALL = (ALL) ALL, !/sbin/shutdown

Careful though - this is not actually going to stop anyone shutting the system down. From the man page:

Quote:

It is generally not effective to "subtract" commands from ALL using the '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

The man page also has advise about handling shell escapes.

Really, if you trust your admins with total access like this, just ask them to please not shutdown the system.

anomie · 11-05-2010, 02:56 PM

Quote:

Originally Posted by mikejreading

Is there any way to allow users to perform everything except the shutdown command?

Probably not. To add to the previous comments (including those about how vim(1), less(1), and others allow shell commands to be issued):

Code:

$ cat shut-it-down.sh 
#!/bin/sh

/sbin/shutdown -h now

exit 0

$ sudo ./shut-it-down.sh

Code:

$ sudo mv /sbin/shutdown /sbin/gotcha

$ sudo /sbin/gotcha -h now

mikejreading · 11-05-2010, 06:15 PM

Thanks for all the replies guys.

Having heard all of your thoughts I realise I was just doing a bit of lazy admin. I think the way forward is to see what the admins complain about..

Thanks guys :-)

Simon Bridge · 11-07-2010, 03:39 AM

Read the sudoers manual - at the bottom there are examples. It shows you how to set up an admin group alias, assign people to it, and assign commands for them. So, instead of giving all your admins access to the wheel (unix) group, put them in ADMIN in sudoers and just list allowed commands for them.