Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
To allow a sudo user to be able to run commands but not able to add user to the system. Is it possible to do this in Ubuntu? I am assuming its in the sudoer file.
The sudoers file allows you to specify a "white list" of commands a specific user or group can execute with sudo. It also allows "blacklisting" by putting an exclamation mark right in front of the command.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
You could put useradd in this list. However, a user with root privileges can still add the user manually in the passwd and shadow files. I don't know how you can prevent that from happening.
Last edited by berndbausch; 12-10-2019 at 12:15 AM.
I don't know how you can prevent that from happening.
It's there in the first line of your answer.
Quote:
Originally Posted by berndbausch
"The sudoers file allows you to specify a "white list" of commands a specific user or group can execute with sudo. "
Using a whitelist is the only way to achieve the goal: make a list of the specific commands that the account should be allowed to run as root and ennumerate them in /etc/sudoers.
Yeah, technically the syntax allows blacklisting but there are an infinite number of ways to circumvent anything you might try in that regard. There have been several articles and talks about that but it's an easy enough thought experiment to walk through.
My fear is that whitelisting won't help the original poster, since they mention open-ended "commands" that the user should be able to run. Let's see if anything comes around.
After thinking a bit more, I also believe that blacklisting is not effective. One would have to design the blacklist with a lot of thought and effort to exclude workarounds.
In short, sudo is probably good for giving blanket root privileges, or for allowing a very narrow, carefully crafted command set to have root privileges.
There are other ways around this. The problem is more of why you made a user sudoer to begin with. This entry almost assures one is root except as noted way above. One way around is to have a user without sudoers and give them all they need normally or give them an ability to su to a higher user that has all they need actually. Setuid special permissions on the tasks that you want only root to have privilege on.
My understanding is that, in a default Ubuntu installation, only the installing user is given sudo rights. Other users added after time of install do not have sudo access unless it is manually granted by installing user.
I'm just gonna leave this here: Sudo: You're Doing it Wrong
Long story short: sudo is much, much more configurable & powerful than the average Ubuntu use case.
Not that I know from experience, but I'll take the developer's word for it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.