Sudo question
1. My debian sudo file has a format like: 'user ALL=(ALL:ALL) ALL'. I can't find any explanation as to what the ALL:ALL means. Can anyone explain this or know where this might be explained?
2. I have a user who has been given full sudo privileges. I would like to prevent him from executing one single program on the system. I know how to include things that he could execute, but that would require quite a list of programs. I played with the 'user ALL=(root)NOEXEC: /user/path/to/the/program' parameter, but it didn't stop the user from sudoing the program. Anyone know how I might prevent him from executing this one program? Thanks. |
|
Thanks.
|
ALL=
Any location (ALL:ALL) Means they can execute as any user, or group (foo:foo) They can only execute as user/group foo foobar=(ALL:ALL) as any user, but only from 'location' ( like via ssh ) foobar Best to read sudo documentation, especially if you are admin Start with Code:
man sudo Don't want to be a rtm guy, but on tablet at the moment If you ate still stuck I'm sure someone else can help before I can But will add, Use visudo to edit rules And last rule wins! So Code:
User ALL=(ALL:ALL) Hope that makes sense |
That was my problem. I let out the ! before /bin/foobarNO.sh. Thanks, that answered it. I tried to make sense of the man sudo, but couldn't understand it.
|
Quote:
You had NOEXEC I had EXEC The ! Just inverts it Really you need to read the docs, I've just done a very bad job paraphrasing them from memory Good idea to setup a vm (vitualbox is quick and easy for such things ) to test it And you need to test many things Somewhere in docs is things like not getting a root shell with things like vi,vim, less etc sudo is great, but it is (when incorrectly configured) a security nightmare Read as much as you can... |
I have a VM with debian weasy (or whatever it is called), but I haven't messed with it. Better than to mess up my server, of course.
Here is an example of what I wanted to do that works that to your example (I didn't even notice you used EXEC): sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free This allows sam root privileges, but prevents him from using the 'free' program with sudo. |
Are you certain that does what you need?
When testing open a new shell ( if gui just start new term, screen do ctrl+a then c ) and it's wheezy, as in "toy story" character All the debian codenames are toy story chars. ;) Sid being the unstable one ;) |
Infact!
Code:
sam ALL=(ALL:ALL) /usr/bin/free Code:
sam ALL=(ALL:ALL) ALL, NOEXEC:/user/bin/vim Read docs, don't even trust me, I missed that ! |
Proof(I think?)
sudo file sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free sam@host:~$ free total used free shared buffers cached Mem: 514436 438140 76296 0 146480 224076 -/+ buffers/cache: 67584 446852 Swap: 0 0 0 sam@host:~$ sudo free [sudo] password for sam: Sorry, user sam is not allowed to execute '/usr/bin/free' as root on localhost. sam@host:~$ sudo ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 May04 ? 00:00:15 init [2] root 2 0 0 May04 ? 00:00:00 [kthreadd] root 3 2 0 May04 ? 00:00:08 [ksoftirqd/0] ... |
Nah,
try doing something else, other than free Test "everything" Edit: Sorry I'm confused now You want the to be able to do everything but., Or, only a selected few? |
Everything but. Another example:
sudo file sam ALL=(ALL:ALL) ALL, NOEXEC:!/usr/bin/free,!/usr/bin/updatedb sam@host:~$ updatedb updatedb: can not open a temporary file for `/var/lib/mlocate/mlocate.db' sam@host:~$ sudo updatedb [sudo] password for john: Sorry, user sam is not allowed to execute '/usr/bin/updatedb' as root on localhost. sam@host:~$ Before changing the sudo file to exclude updatedb, sam was able to do a sudo updatedb. |
Ok
Actually makes sense now I think about it NOEXEC Means can run 'as' but not get subshell ( good ) The ! Means, can't do this "one" still a good idea to read the docs. sudo is convenient, but you must be careful with what you give. As you can see, my memory is 'suspect' with it, I usually review docs but not an everyday thing for me .. If in doubt, man + web search ( give low weighting to blogs, Good and bad out there ) . |
Please be careful with this. Even with not being allowed to start free using sudo in the above example, I still can start Vim using sudo, run Vim's :shell command and have full root access to that machine.
|
Quote:
|
All times are GMT -5. The time now is 09:33 PM. |