Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You could try using the negation (!) in front of shutdown command but then they might use reboot, halt, init or other utilities to get around that. You could locate every single utility that has the effect of stopping the system and then they'd simply do something like "sudo vi" and type ":!/bin/bash" to get a shell prompt that would then allow them to bypass any sudo restriction because that shell prompt would be a root shell prompt.
You really should NOT give global access to all commands to anyone other than system administrators and those should be allowed to shutdown the server. You should spend time finding out exactly what this "group" needs and grant only those commands. Trying to grant all then exclude a few simply won't work. You also need to investigate any command you plan to give to the group to be sure it doesn't pose security issues that make putting it in sudo the same thing as giving them full root access (e.g. vi many other programs allow for shell prompts, chmod would allow them to create a file with setuid, etc...).
You should rethink that policy. Always require password. Whitelist commands rather than blacklist them. I know it is very tempting - but it means you have to guess every possible way to do the thing you don't want to happen.
If your whitelist is too restrictive, your admins will complain to start with and you can think about it and keep adding commands you think are OK to the list until they stop complaining.
What you want to define needs the logical not (!) in front of the command is sudoers.
Note: you don't need to create a special group for sudo access, the one called "wheel" already does this.
So you'll have a line like:
wheel ALL = (ALL) ALL, !/sbin/shutdown
Careful though - this is not actually going to stop anyone shutting the system down. From the man page:
Quote:
It is generally not effective to "subtract" commands from ALL using the '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
The man page also has advise about handling shell escapes.
Really, if you trust your admins with total access like this, just ask them to please not shutdown the system.
Last edited by Simon Bridge; 11-05-2010 at 08:44 AM.
Read the sudoers manual - at the bottom there are examples. It shows you how to set up an admin group alias, assign people to it, and assign commands for them. So, instead of giving all your admins access to the wheel (unix) group, put them in ADMIN in sudoers and just list allowed commands for them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.