LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 02-27-2006, 03:04 AM   #1
Cenobite
LQ Newbie
 
Registered: Dec 2003
Location: South Africa
Distribution: CentOS, Arch
Posts: 25

Rep: Reputation: 0
sudo: limiting activity to the localhost


Firstly I wish to apologise if this question appears (and is solved) elsewhere on these forums, though I couldn't really find anything that tackles my specific problem.

I'm setting up a Linux server (Slackware 10.2) to which various dumb terminals connect via telnet. I've set it up so that only a specific non-root user (called "unisolv") is allowed to halt and reboot the server. I want this to only be allowed from the physical terminal, to negate the possibility that a user from one of the dumb terminals is able to shutdown the machine at will.

My /etc/sudoers file follows: (hostname = "jupiter")
Code:
Defaults requiretty
Defaults lecture=never

Host_Alias SERVER = jupiter

root   ALL=(ALL) ALL

%wheel   ALL=(ALL)ALL

# Allow user unisolv (only on localhost) to execute
# the following commands without requiring passwd.
unisolv SERVER = NOPASSWD:/sbin/shutdown -h,/sbin/shutdown -r
The problem is, the commands are executable from both the localhost aswell as remotely via telnet. I've tried changing the "SERVER" Host_Alias variable to the address on the local net (192.168.0.23) but the problem persists. When changing the same value to "localhost", I am not allowed to execute the commands, even from the local host.

"localhost" exists in /etc/hosts as 127.0.0.1 and is fully pingable.

To recap, what I want is for the shutdown command to be run through sudo by the user unisolv, but only on the physical localhost and NOT remotely via telnet etc.

Any help on this issue would be greatly appreciated.
 
Old 02-28-2006, 09:13 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
Check out "man sudoers" under Defaults for "requiretty", then look under Examples on how to add this to your user/command.
 
Old 03-02-2006, 03:32 AM   #3
Cenobite
LQ Newbie
 
Registered: Dec 2003
Location: South Africa
Distribution: CentOS, Arch
Posts: 25

Original Poster
Rep: Reputation: 0
As noted above, I do have Defaults requiretty set.

I've also tried: Defaults@SERVER requiretty
And even: Defaults !!requiretty

None of this seems to help me, a user telnetting in under that username
is stil able to run the commands which I want to limit to the localhost.

Thanks in advance.
 
Old 03-02-2006, 08:06 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,518
Blog Entries: 51

Rep: Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598Reputation: 2598
PAM listfile to the rescue...

As noted above, I do have Defaults requiretty set.
Sorry. Overlooked that.


OK, I tried the "requiretty" myself, and according to how it should work this isn't a workable solution. A workaround could involve using a tty-checking wrapper script for the shutdown command. It is a weak solution because it requires more modifications to the system than it's worth IMHO. A much better and easier workaround exists: the only requirements are the user "unisolv" only has one sudo command (shutdown) (else you will have to move that command to a unique username that only will perform that one command) and you use PAM (and have PAM listfile module installed). I use it a lot to cover all kind of PAM-ified access like ssh (I don't need no DenyUsers), sudo etc etc. Add the allowed tty's to /etc/pam.d/sudo.tty. Open /etc/pam.d/sudo and add this line: "auth required pam_listfile.so item=tty sense=allow file=/etc/pam.d/sudo.tty onerr=fail apply=unisolv" in the "auth" section (above account). To check ssh to this box with the "unisolv" account and issue "sudo -l". You should see in the logs that because it has a pseudotty assigned any sudo command should fail. Works for me, but as always YMMV(VM). If anyone has a more secure or "better" solution or any additions I'd like to hear that.
 
Old 03-02-2006, 11:27 AM   #5
Cenobite
LQ Newbie
 
Registered: Dec 2003
Location: South Africa
Distribution: CentOS, Arch
Posts: 25

Original Poster
Rep: Reputation: 0
Thanks for your assistance, unSpawn! I'll give PAM a try and check my mileage, however I'm also keen to find out if anyone else has a working solution for this.

I've been struggling with this (work-related) little problem for a while now, and at this stage I'm willing to try any old hack, no matter how greasy it is
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 03:20 PM
Limiting sudo su -? RickAOTC Linux - Newbie 2 02-01-2006 07:28 AM
Change localhost name in username@localhost n175uj Linux - Newbie 4 07-01-2005 08:25 PM
Message from syslogd@localhost localhost kernel: Disabling IRQ #21 ylts Linux - Hardware 0 02-26-2005 08:01 AM
dns requests from localhost to localhost keex Linux - Networking 2 11-13-2003 01:47 PM


All times are GMT -5. The time now is 02:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration