LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-04-2018, 10:30 AM   #1
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Rep: Reputation: 10
Post Restrict a use to run specific commands.


Hello.
I want restrict a use for run specific command and I found this guidance about it. If I want user just can run "cp" command, then I must add below line to "sudoers" file:
Code:
user ALL=(root) /bin/cp
Am I right?

Thank you.
 
Old 03-04-2018, 10:41 AM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,177
Blog Entries: 3

Rep: Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067
Very close. With a dangerous program like cp, you would do well to limit it to specific options and directories. Can you say a little more about how you intent the user to use it as root?

You'll benefit from a bit more background knowledge on sudo and /etc/sudoers You can buy the book sudo Mastery by Michael W Lucas if your library does not have it. Or there are two online resources:

The configuration that you add to /etc/sudoers should be very specific and even refer to which file you want to copy or which directory to copy to.
 
Old 03-04-2018, 12:02 PM   #3
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 13,103

Rep: Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145Reputation: 4145
just a theoretical example: if I can execute cp as root:
Code:
/bin/cp ~/my_sudoers /etc/sudoers
will overwrite the sudoers file and therefore will allow anything what was specified on ~/my_sudoers.
or two:
Code:
/bin/cp ~/my_executable /bin/cp
will overwrite the cp tool itself and will run something else instead, which will also allow the user to do what (s)he want - without restriction.
 
Old 03-04-2018, 12:06 PM   #4
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,230

Rep: Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724Reputation: 724
Dangerous indeed, can also overwrite /etc/shadow
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Sudo question specific commands on specific directories slufoot80 Linux - Security 6 12-30-2014 08:57 AM
How to restrict a specific user? johnsfine Linux - Security 1 05-29-2014 06:29 PM
how to restrict download from internet for specific ip's only deepak rawat Linux - Networking 1 04-27-2006 07:27 AM
how to restrict download from internet for specific ip's only deepak rawat Linux - Networking 1 04-26-2006 03:11 PM
To restrict a specific user simi_virgo Linux - Newbie 1 02-26-2005 12:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration