LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Editing Sudoers file, what are the options? (https://www.linuxquestions.org/questions/linux-newbie-8/editing-sudoers-file-what-are-the-options-4175422598/)

shahmeer75 08-17-2012 07:16 AM

Editing Sudoers file, what are the options?
 
Hi,

I am confused about editing Sudoers file as what to write and what not to? Can you please help me?

I am trying to edit Sudoers for running few commands like copying, moving, listing, searching, creating, changing permissions on files and directories in the home directory for user e.g. a test user but i am not sure how to restrict the user action to a particular directory or restrict the commands all other commands except ls, cp, grep, wc, cat, touch, chmod, chown running at root level (e.g. rm -r command)? What would be the syntax?

Thank you in advance.

Shahmeer

pan64 08-17-2012 07:34 AM

see here: http://www.garron.me/linux/visudo-co...lt-editor.html
do not edit that file directly, use visudo instead (http://linux.die.net/man/5/sudoers)

TobiSGD 08-17-2012 07:54 AM

Allowing a user to use cp, chmod or chown with sudo is basically the same as giving them your root password. The user is easily able to chmod or chown the sudoers-file or just copy over a already prepared sudoers file, giving himself or other users any permission he wants.

This is a serious security issue, don't even consider it.

If you want to restrict the user's actions to a limited set of directories sudo is not the appropriate tool, you should use the permission system, in particular different user-groups for that.

Wim Sturkenboom 08-17-2012 08:30 AM

I think there is a misunderstanding. I don't think that shahmeer75 wants the testuser to modify / chown / rm etc the sudoers file.

Not familiar enough with sudoers to be of further help ;)

TobiSGD 08-17-2012 08:49 AM

Quote:

Originally Posted by Wim Sturkenboom (Post 4756632)
I think there is a misunderstanding. I don't think that shahmeer75 wants the testuser to modify / chown /rm etc the sudoers file.

And that exactly is the problem. If the testuser has the right to start the commands mv, cp, chown, chmod (or many other programs) as root using sudo the testuser is able to modify those files (or use many other nasty hacks) to become effectively root. If you don't trust the user so that you have to give him limited rights with sudo then you shouldn't trust him not to modify those files.
Therefore a different approach should be taken. Since shahmeer75 asks
Quote:

how to restrict the user action to a particular directory or restrict the commands all other commands except ls, cp, grep, wc, cat, touch, chmod, chown running at root level
IMHO the correct approach would be to use file permissions or, if necessary, ACL (Access Control Lists).

@shahmeer75: Information about setting up sudo, file permissions and ACL


All times are GMT -5. The time now is 02:03 PM.