Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Nope, cause read access to passwd is needed by several things. So, do not touch it. As for others, it is easier to allow certain commands than to exclude just few commands. So, ask yourself, what commands you want to allow to non privileged users. Then create command alias in sudoers, or even better some file under /etc/sudoers.d/ for that commands. Something like this:
Code:
Cmnd_Alias POWER = /sbin/shutdown, /sbin/halt, /sbin/reboot, /sbin/restart
POWERPUFF ALL = POWER
If you want to exclude commands from certain users, think that you can put exclamation mark in front of command, but never used it personally. Something like this:
Code:
%halfadmin ALL = !/bin/rpm, !/usr/bin/up2date, !/usr/bin/yum
where halfadmin is name of group for those you want to have restricted use of sudo.
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
Then you have to make your home inaccessible to other users. /home/user is allowed access to other /home/users by default. Sudoers is only for commands, not permissions on files and directories. So, you'd have to remove read permissions for the users group.
The only thing I want this account to do is to access all other user's home but not mine nor root.
I also don't want to allow access to visudo of any kind of installation.
I'm not even sure if this is possible but would be sufficient.
along with what @AwesomeMachine said in how to do this, what is it you are actually using this "person" for? what would be his duties and responsibilities? whence you figure this out if you need more help to see if this can be done. Then come back and share it with us in here for help and guidance.
just for someone else to be able to peek inside of someone else's home dir ?
Code:
userx%slackwhere ⚡ ~ ⚡> sudo adduser deleteme
Login name for new user: deleteme
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional UNIX groups:
Users can belong to additional UNIX groups on the system.
For local users using graphical desktop login managers such
as XDM/KDM, users may need to be members of additional groups
to access the full functionality of removable media devices.
* Security implications *
Please be aware that by adding users to additional groups may
potentially give access to the removable media of other users.
If you are creating a new user for remote shell access only,
users do not need to belong to any additional groups as standard,
so you may press ENTER at the next prompt.
Press ENTER to continue without adding any additional groups
Or press the UP arrow key to add/select/edit additional groups
:
Home directory [ /home/deleteme ]
Shell [ /bin/bash ]
Expiry date (YYYY-MM-DD) []:
New account will be created as follows:
---------------------------------------
Login name.......: deleteme
UID..............: [ Next available ]
Initial group....: users
Additional groups: [ None ]
Home directory...: /home/deleteme
Shell............: /bin/bash
Expiry date......: [ Never ]
This is it... if you want to bail out, hit Control-C. Otherwise, press
ENTER to go ahead and make the account.
Creating new account...
Changing the user information for deleteme
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Changing password for deleteme
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Bad password: too short.
Warning: weak password (enter it again to use it anyway).
New password:
Re-enter new password:
passwd: password changed.
Account setup complete.
userx%slackwhere ⚡ ~ ⚡>
userx%slackwhere ⚡ ~ ⚡> cd /home
userx%slackwhere ⚡ home ⚡> ls
deleteme ftp lost+found userx userx-bk
userx%slackwhere ⚡ home ⚡> cd deleteme
userx%slackwhere ⚡ deleteme ⚡> ls
ls: cannot open directory '.': Permission denied
userx%slackwhere ⚡ deleteme ⚡> su
Password:
bash-4.3# ls
bash-4.3# pwd
/home/deleteme
bash-4.3#
along with what @AwesomeMachine said in how to do this, what is it you are actually using this "person" for? what would be his duties and responsibilities? whence you figure this out if you need more help to see if this can be done. Then come back and share it with us in here for help and guidance.
I should have laid this out from the beginning.
We have a remote support team.
Their only task is to help customers with issues.
Each customers has his own home dir.
The team must have access access to these dir. in order to resolve the issues but with nothing else than that.
They have access to a GUI that shows them the server status and all information they need to know when something is working or not.
If it is not working, we will know and they can put in request for that to be resolved.
We have a remote support team.
Their only task is to help customers with issues.
Each customers has his own home dir.
The team must have access access to these dir. in order to resolve the issues but with nothing else than that.
That task is probably best handled by ACLs. If you tried to accomplish that by restricting what commands can be run via sudo, you would have to block, in addition to the specific commands you listed above, any command that has a shell escape (e.g., most editors) and any other command that can exec() arbitrary commands ("find" comes immediately to mind, and even the fairly benign "less" can launch other commands).
It is fascinating that even as things change, and everything gets easier, there hasn't been a tool that can effectively list out permissions and allow one to choose what a "sudo" user can and can't do.
It is fascinating that even as things change, and everything gets easier, there hasn't been a tool that can effectively list out permissions and allow one to choose what a "sudo" user can and can't do.
You can see what elevated privileges they are granted using "sudo -l"
As to settin what they can and can't do that is (mostly) done in /etc/sudoers
However, it is necessary to revisit the approach that you are trying:
It is a mistake to try to blacklist commands. A mischeivious or malevolent user could always make a local copy of a forbidden command but give the copy a new name and run sudo to elevate privileges on that new name. Thus blacklisting does not and cannot work in sudo. I'm not sure even why the syntax allows it. What you do need to set up is a whitelist in /etc/sudoers of the programs you actually do want to let them have access to.
About the file system privileges, those are something else, but easier. Consider mode 751 or 701 for /home or also even some home directories.
Can you go into a little more detail about what you want to allow and what you want to block?
Sorry, user halfadmin is not allowed to execute '/bin/systemctl status sshd' as root on lab.server.com.
You should do man sudoers :P Later inputs take precedence over former inputs. So what you did was to allow full sudo privileges to halfadmin and then you've said that you've changed your mind and that you actually just want to prevent them from commands on list. Considering amount of commands you want to restricted, better approach would be to just allow them what you want them to do. As someone mentioned, ACLs and file permissions are better way to do what you want.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
