LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Restrict SUDO Access (https://www.linuxquestions.org/questions/linux-newbie-8/restrict-sudo-access-931155/)

maddyfreaks 02-24-2012 11:38 PM

Restrict SUDO Access
 
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Hi Folks,

Please help me. I am bit struck here.

Here is the OS info.
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

I have a user Alex( userif alex:admin) and trying to grant him sudo access to a userid (cbttest:sytgrp) i.e granting sudo to ID cbttest

I have added the following info to /etc/sudoers file.

alex ALL=(cbttest:sytgrp) ALL

It was working fine, alex was able to sudo to cbttest.

Now I want to restrict alex not to execute passwd change so tried the below options none worked.

alex ALL=(cbttest:sytgrp) ALL, !/usr/bin/passwd

Cmnd_Alias PASSWD=/usr/bin/passwd
alex ALL=(cbttest:sytgrp) ALL, !PASSWD

alex ALL=(cbttest:sytgrp) !/usr/bin/passwd

alex ALL=(cbttest:sytgrp) ALL, !/usr/bin/pass*

none of the above options worked. Please helpme in restricting the user to execute all like cbttest except passwd

Dark_Helmet 02-24-2012 11:47 PM

Are you using visudo to make your changes to the sudoers file? You cannot open /etc/sudoers and edit it directly.

If you don't like the vi-ike editor provided by visudo, you can change it by setting one of two environment variables to the name of the editor you prefer. For example:
Code:

export VISUAL=emacs
One of the main benefits of using visudo is that visudo will tell you if you have bad syntax in your sudoers file when you try to save and exit.

I think that might be the case here. I'll look at it a little more closely though.

Dark_Helmet 02-25-2012 12:24 AM

As a followup, here's an excerpt for my Ubuntu machine's sudoers file and a sample shell session with results:

sudoers:
Code:

darkhelmet ALL=(gkrellmd) /usr/bin/whoami, ! /bin/echo
sample shell session:
Code:

darkhelmet@localhost$ sudo -u gkrellmd /usr/bin/whoami
[sudo] password for darkhelmet:
gkrellmd
darkhelmet@localhost$ sudo -u gkrellmd /bin/echo "Hi"
Sorry, user darkhelmet is not allowed to execute '/bin/echo Hi' as gkrellmd on localhost.


maddyfreaks 02-25-2012 09:27 AM

Thanks Dark.. I am using visudo.

But I tried the way you gave... but it doesnot work. More over. I need the user to execute all the commands except password.

I dont know you got my point or not.

Dark_Helmet 02-25-2012 11:51 AM

Nope, I understood. The above was just an example. Here is another:

sudorers:
Code:

darkhelmet ALL=(gkrellmd) ALL, ! /bin/echo
sample shell session:
Code:

darkhelmet@localhost$ sudo -u gkrellmd whoami
[sudo] password for darkhelmet:
gkrellmd
darkhelmet@localhost$ sudo -u touch /tmp/testfile
darkhelmet@localhost$ ls -l /tmp/testfile
-rw-r--r-- 1 gkrellmd nogroup 0 2012-02-25 10:47 /tmp/testfile
darkhelmet@localhost$ rm /tmp/testfile
rm: remove write-protected regular empty file `/tmp/testfile'? y
rm: cannot remove `/tmp/testfile': Operation not permitted
darkhelmet@localhost$ sudo -u gkrellmd rm /tmp/testfile
darkhelmet@localhost$ ls -l /tmp/testfile
ls: cannot access /tmp/testfile: No such file or directory
darkhelmet@localhost$ sudo -u gkrellmd /bin/echo "Hi"
Sorry, user darkhelmet is not allowed to execute '/bin/echo Hi' as gkrellmd on localhost.

See also this thread.

If the above format does not work for you, then carefully review your sudoers file to verify that some other rule is not granting the user greater privileges (e.g. something like "%sudo ALL=(ALL) ALL"). If I remember correctly, later rules override earlier rules.

maddyfreaks 02-25-2012 02:04 PM

Here is the test case I have done.

My Sudoers File

# User privilege specification
root ALL=(ALL:ALL) ALL

alex ALL=(cbttest:sytgrp) ALL, !/bin/echo


[alex@ubuntu] "/home/alex/Desktop"
$ whoami
alex
[alex@ubuntu] "/home/alex/Desktop"
$ sudo -H -u cbttest -i
[sudo] password for alex: *******
[cbttest@ubuntu] "/home/cbttest"
$ whoami
cbttest
[cbttest@ubuntu] "/home/cbttest"
$ export DT=ABC
[cbttest@ubuntu] "/home/cbttest"
$ echo $DT
ABC
[cbttest@ubuntu] "/home/cbttest"
$ which echo
/bin/echo


There is no syntax error in the /etc/sudoers file.

Dark_Helmet 02-25-2012 02:17 PM

That's because you are logging in as cbttest.

Code:

sudo -H -u cbttest -i
As shown by your command prompt on the next line:
Code:

[cbttest@ubuntu] "/home/cbttest"
$ whoami
cbttest

Once you have logged in as cbttest, the sudo restrictions no longer apply--because the sudo restrictions are for user alex launching commands as cbttest. You are no longer "alex" after logging in as cbttest.

In addition, sudo will only check against commands invoked with sudo. The sudo program does not monitor all shell activity.

To get the behavior you want, you must execute the commands as user alex and of the form "sudo -u cbttest [command]".

maddyfreaks 02-25-2012 02:23 PM

Thanks dark I got the point now. But how can we restrict cbttest not to change the password.

i.e he or any one should not be able to use /usr/bin/passwd except root.

is there a way to restrict that

Dark_Helmet 02-25-2012 02:32 PM

Take a look at this thread

Specifically Tinkster's response.

I have never actually tried his suggestion, nor do I know whether root would be able to bypass teh restriction directly. But, if root cannot bypass it, root could certainly remove the restriction, change the password, and re-enable the restriction.

There may be other interesting options in man passwd. I haven't looked at that page in a while.


All times are GMT -5. The time now is 07:51 AM.