sudo to disallow certain commands

chakkerz · 01-10-2011, 06:11 PM

Hello there

I'm trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh.

Is there a way to allow users to run anything they want except shells. I realise this is a default permit which inherently is defective, but I'm not convinced that going through the 1559 executable commands of my (as yet incomplete) built system to decided on the likely 1000+ commands I would want to be genuinely allowed.

As I said this is for system administrators first, and I'd like to forcibly instil the habit of sudo <command> or using rootsh to get an audited shell. But I know people are already not doing enough sudo <command> as it stands, rather they switch to bash, but any auditing would help.

Any strategies or settings I'm just not seeing?

For reference this is on RHEL6 with sudo 1.7.2p2-9.el6.x86_64

Any help appreciated

GlennsPref · 01-10-2011, 06:44 PM

Just make the programs you don't want used (by $USER) a member of the admin/root group.

And re/edit the /etc/sudoers file to reflect the same.

Also check your .bashrc/.zshrc (shell config) and remove/comment (#) any undesired aliases/commands.

Hope this helps, Glenn

chakkerz · 01-10-2011, 07:35 PM

Sorry, how should i make them a member? You mean chown root:root ... but that doesn't seem right because:

Code:

[root@pomelo chakkerz]# ls -l /bin/bash
-rwxr-xr-x. 1 root root 943248 Jun 23  2010 /bin/bash

And I don't see anything in the default /etc/sudoers file that appears relevant either ... well there is the User_Alias and Cmnd_Alias stuff .. but that doesn't seem entirely relevant...

Can you give me more detail please?

Thanks for the Alias comment ... i was going to forget that.

GlennsPref · 01-10-2011, 08:04 PM

Oh, sorry 'bout that, I meant to say the "wheel" group.

Then only members of the wheel group have access

Without a gui it's a bit hard to everything at once, but you may dictate which shell (bash, csh, zsh, etcetera etcetera) users have access to.

and from there you may be able to restrict users, but if you want everybody to have admin rights, it may be difficult to split them into categories/groups.

You may use the wheel group and sudo to do it. (I think

Glenn

chakkerz · 01-10-2011, 08:38 PM

wheel group - hmm ... no good:

[root@pomelo puppet]# which tcsh
/bin/tcsh
[root@pomelo puppet]# chgrp wheel /bin/tcsh
[root@pomelo puppet]# visudo
## where I allowed myself to do ALL, everywhere ... same as root
[root@pomelo puppet]# exit
[chakkerz@pomelo ~]$ sudo bash
[sudo] password for chakkerz:
[root@pomelo chakkerz]# exit
[chakkerz@pomelo ~]$ sudo tcsh
[root@pomelo chakkerz]#

chakkerz · 01-10-2011, 08:41 PM

%nsysadm ALL=ALL,!/bin/tcsh

Maybe this is the answer...

GlennsPref · 01-10-2011, 09:01 PM

That's all I got.

All the best! Glenn

http://glennwaller.blogspot.com/2010...-and-sudo.html