LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   limit program use with sudo (https://www.linuxquestions.org/questions/linux-newbie-8/limit-program-use-with-sudo-886066/)

lazerking9 06-13-2011 10:11 AM
limit program use with sudo
 
I am the owner (ie-"root") for my organization's linux system. The other day, one of my administrators came to me and complained that it is too tedious to type their password every time they sudo a command, especially when running common commands such as apt-get, shutdown, and the like. For security reasons, I have their sudo timestamp timeout set to 3. Without modifying the timeout, is there a way to use NOPASSWD in sudoers to allow them to run those commands, without requiring password?

I tried something similar to this, but it didn't work:
Code:
# /etc/sudoers
# ...
Host_Alias      HOMEMACHINE=current_pc_HP_PC
# ...
User_Alias      FOOBAR=foo,bar
# ...
Defaults      timestamp_timeout=3
Defaults      passwd_timeout=1
# ...

root ALL=(ALL) ALL

# Members of administrators group may use all commands on this machine only
%admin HOMEMACHINE=(root) PASSWD:All

# group "foobar" may use selected commands without password
FOOBAR HOMEMACHINE=(root) NOPASSWD:/sbin/shutdpwn {-h -P,-r}*,/usr/bin/apt-get {install,update}

MensaWater 06-13-2011 10:30 AM
You have a typo - it should be shutdown rather than shutdpwn I think unless you've written a script called shutdpwn.

How in your view is it more secure to use NOPASSWD than to increase the timeout limit? With the timeout limit they at least have to re-enter the password periodically - with NOPASSWD they never have to enter it.

lazerking9 06-13-2011 06:47 PM
yes, that one was a typo from when I copied it to here.. no sleep can do that to ya.

**EDIT**
The timeout will still be enforced on all but a very, VERY narrow group of commands. And the commands that would no longer require a password are those that update the system- specifically apt-get update and apt-get install. I know there are a few options in apt-get that could allow you to do damage to the system, but all it takes to lock users out of using them is explicitly NOT mention them in sudoers.

Out of the fifty or so users I have, about five or so are administrators in their specific areas of OS/network expertise. the other 40-some-odd users are clueless when it comes to command line. Only my administrators (who I trust, and who know what they are doing) can run sudo...
sudo is there mainly to keep users from poking around where they belong. For my administrators, the passsword check is more of a sanity thing than anything else- it makes them think about whether they are sure they want to execute that command. And if another user should get access to their machine (ie- walk away without locking it), it is just another safeguard.

I'm just trying to idiot proof my system, not tamper proof it. To quote Arthur Clarke: "You can proof things against stupidity and carelessness, but there is no mechanism that can exist to prevent deliberate malice." (2001: A Space Odyssey)

I am aware that using NOPASSWD is a security risk, but a manageable one.


All times are GMT -5. The time now is 10:45 AM.