Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have setup a user group in sudoers to allow some specific commands.
Commands allowed to the group are running fine. I have not allowed to run service command or /etc/init.d/service command.
But that user can run /etc/init.d/service status command.
How can I restrict that user to not run /etc/init.d/asterisk command.
Question: can a normal user (not in the target group) run that command WITHOUT sudo?
If they can, then sudo is not giving the permission and changing the sudo configuration will not help you.
Make sure the init files belong to root, and have permissions likie 700 and see if that does the job for you.
Yes you are right. I have tried with a normal bash user and it can run the command.
But I can't set permissions to /etc/init.d/asterisk to 700 becuase it may impact my production time.
Is there any other way to sort this out.
Current permissions are as below:
I have setup a user group in sudoers to allow some specific commands.
Commands allowed to the group are running fine. I have not allowed to run service command or /etc/init.d/service command.
But that user can run /etc/init.d/service status command.
How can I restrict that user to not run /etc/init.d/asterisk command.
In last I have write !/etc/rc.d/init.d/asterisk but not restricting it in centos.
Please suggest the solution.
It
regards,
kamran
It is not related to your question, but anyway...
In your sudoers file you specified among other things find, less and more.
Find and less ( may be more too) able to execute arbitrary commands.
So, allowing using those commands are effectively the same as allowing full root access.
If you really need to those command yiu may want to consider sudoers' noexec specifier
to close this hole.
The init files nromally need to be run as root on startup anyway. Restricting them only removes the ability of non-root users to get status information, which appears exactly what you want.
I am not saying there will be no unintended consequences, but they should be non-fatal.
Why not try this with one or two that you want to lock down. If those cause no issues, move on to one or two more.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
