LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Sudo question (https://www.linuxquestions.org/questions/linux-newbie-8/sudo-question-4175505011/)

battles 05-14-2014 03:15 PM
Sudo question
 
1. My debian sudo file has a format like: 'user ALL=(ALL:ALL) ALL'. I can't find any explanation as to what the ALL:ALL means. Can anyone explain this or know where this might be explained?

2. I have a user who has been given full sudo privileges. I would like to prevent him from executing one single program on the system. I know how to include things that he could execute, but that would require quite a list of programs. I played with the 'user ALL=(root)NOEXEC: /user/path/to/the/program' parameter, but it didn't stop the user from sudoing the program. Anyone know how I might prevent him from executing this one program?

Thanks.

Enindu 05-14-2014 03:59 PM
Refer these wiki pages.

https://wiki.debian.org/sudo
https://wiki.archlinux.org/index.php/sudo

battles 05-14-2014 04:01 PM
Thanks.

Firerat 05-14-2014 04:15 PM
ALL=
Any location

(ALL:ALL)

Means they can execute as any user, or group

(foo:foo)
They can only execute as user/group foo

foobar=(ALL:ALL)
as any user, but only from 'location' ( like via ssh ) foobar


Best to read sudo documentation, especially if you are admin


Start with
Code:
man sudo
The some. Web searches

Don't want to be a rtm guy, but on tablet at the moment
If you ate still stuck I'm sure someone else can help before I can


But will add,

Use visudo to edit rules

And last rule wins!
So
Code:
User ALL=(ALL:ALL)
User foobar=(ALL:ALL)EXEC:!/bin/foobarNO.sh
User can do anything, unless from foobar when they can do all BUT /bin/foobarNO.sh
Hope that makes sense

battles 05-14-2014 04:21 PM
That was my problem. I let out the ! before /bin/foobarNO.sh. Thanks, that answered it. I tried to make sense of the man sudo, but couldn't understand it.

Firerat 05-14-2014 04:40 PM
Quote:
Originally Posted by battles (Post 5170988)
That was my problem. I let out the ! before /bin/foobarNO.sh. Thanks, that answered it. I tried to make sense of the man sudo, but couldn't understand it.
Carefull!

You had NOEXEC
I had EXEC
The ! Just inverts it

Really you need to read the docs,
I've just done a very bad job paraphrasing them from memory

Good idea to setup a vm (vitualbox is quick and easy for such things ) to test it

And you need to test many things
Somewhere in docs is things like not getting a root shell with things like vi,vim, less etc

sudo is great, but it is (when incorrectly configured) a security nightmare
Read as much as you can...

battles 05-14-2014 04:51 PM
I have a VM with debian weasy (or whatever it is called), but I haven't messed with it. Better than to mess up my server, of course.
Here is an example of what I wanted to do that works that to your example (I didn't even notice you used EXEC):

sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free

This allows sam root privileges, but prevents him from using the 'free' program with sudo.

Firerat 05-14-2014 05:01 PM
Are you certain that does what you need?

When testing open a new shell ( if gui just start new term, screen do ctrl+a then c )

and it's wheezy, as in "toy story" character
All the debian codenames are toy story chars. ;)
Sid being the unstable one ;)

Firerat 05-14-2014 05:12 PM
Infact!
Code:
sam ALL=(ALL:ALL) /usr/bin/free
They can only execute that as anyone

Code:
sam ALL=(ALL:ALL) ALL, NOEXEC:/user/bin/vim
Means they can execute vim as anyone , but can't get a shell

Read docs, don't even trust me, I missed that !

battles 05-14-2014 05:18 PM
Proof(I think?)

sudo file
sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free



sam@host:~$ free
total used free shared buffers cached
Mem: 514436 438140 76296 0 146480 224076
-/+ buffers/cache: 67584 446852
Swap: 0 0 0

sam@host:~$ sudo free
[sudo] password for sam:
Sorry, user sam is not allowed to execute '/usr/bin/free' as root on localhost.


sam@host:~$ sudo ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 May04 ? 00:00:15 init [2]
root 2 0 0 May04 ? 00:00:00 [kthreadd]
root 3 2 0 May04 ? 00:00:08 [ksoftirqd/0]
...

Firerat 05-14-2014 05:27 PM
Nah,

try doing something else, other than free

Test "everything"

Edit:
Sorry I'm confused now


You want the to be able to do everything but.,
Or, only a selected few?

battles 05-14-2014 05:44 PM
Everything but. Another example:

sudo file
sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free,!/usr/bin/updatedb


sam@host:~$ updatedb
updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db'
sam@host:~$ sudo updatedb
[sudo] password for john:
Sorry, user sam is not allowed to execute '/usr/bin/updatedb' as root on localhost.
sam@host:~$

Before changing the sudo file to exclude updatedb, sam was able to do a sudo updatedb.

Firerat 05-14-2014 06:15 PM
Ok
Actually makes sense now I think about it

NOEXEC
Means can run 'as' but not get subshell ( good )
The ! Means, can't do this "one"

still a good idea to read the docs.

sudo is convenient, but you must be careful with what you give.

As you can see, my memory is 'suspect' with it, I usually review docs
but not an everyday thing for me ..
If in doubt, man + web search ( give low weighting to blogs, Good and bad out there )
.

TobiSGD 05-14-2014 08:36 PM
Please be careful with this. Even with not being allowed to start free using sudo in the above example, I still can start Vim using sudo, run Vim's :shell command and have full root access to that machine.

battles 05-15-2014 09:27 AM
Quote:
Originally Posted by TobiSGD (Post 5171107)
Please be careful with this. Even with not being allowed to start free using sudo in the above example, I still can start Vim using sudo, run Vim's :shell command and have full root access to that machine.
You devil, you!


All times are GMT -5. The time now is 09:33 PM.