Sudoers File

ahmerj123 · 03-09-2016, 03:34 PM

Hi All,

Question: Is there a way in the sudoers file to restrict access to a certain directory?, I know the sudoers file is used to manage permissions on how much privileges in terms of commands. The user needs root access, but we want to restrict an access to certain directories.

Thanks,
Ahmer

cliffordw · 03-10-2016, 09:14 AM

Hi there,

What does the user need to do in these directories? You might be able to either use chroot to restrict them to a directory, or wrap the command(s) they need in a script that allows only the authorized actions.

lazydog · 03-10-2016, 09:16 AM

I'm for the chroot approach.

Hasek39 · 03-10-2016, 12:04 PM

Maybe you can chown this directories to another user?

ahmerj123 · 03-19-2016, 12:50 AM

So the problem is that they are engineers and need to install software and make system changes to make this software build that they install work. As system admins we dont know their required commands. So we are trying to make a setting that allows all root access without them explicitly changing permissions and accessing certain directories.. Certain parts of /etc

ahmerj123 · 03-19-2016, 12:51 AM

Root has full access to everyone and sudoers lets you become root without the actual root passwd.

lazydog · 03-21-2016, 10:47 AM

Quote:

Originally Posted by ahmerj123

Root has full access to everyone and sudoers lets you become root without the actual root passwd.

Correction, sudoers allows you to run commands as root. There are ways to become root if you have sudoers rights.

ahmerj123 · 03-21-2016, 06:20 PM

Quote:

Originally Posted by lazydog

Correction, sudoers allows you to run commands as root. There are ways to become root if you have sudoers rights.

So is there a way to make it so users with sudoers privileges can not access other home directories and restrict access to directories like Audit.

wpeckham · 03-21-2016, 08:32 PM

My favorite way to approach that is using Linux containers (either LXC or OpenVZ) to give each engineer a virtual machine. Even better than chroot, each has what looks like an entire linux workstation with complete access to ALL files - yet they cannot affect the virtual machine of the next engineer or see ANY of his (or her) files. Just as they are walled away from each other, they are also walled away from the host (DOM0) physical server.

As a side benefit, it is fairly easy to take a working container and use it to make a template that can be used to deploy multiple copies as needed. So if they get it REALLY right, they can safely share with all of the other engineers.

lazydog · 03-22-2016, 09:05 AM

Quote:

Originally Posted by ahmerj123

So is there a way to make it so users with sudoers privileges can not access other home directories and restrict access to directories like Audit.

That all depends on what you have already setup. For example are the directories already setup to not allow them access as normal user? If so then you would remove the ability to run the 'cd' command as sudo.

But if you want to restrict the users use of commands they can use you should lock all commands and only allow the commands you want them to use.