LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-21-2017, 06:28 AM   #16
sgrlscz
Member
 
Registered: Aug 2008
Posts: 123

Rep: Reputation: 84

Quote:
Originally Posted by Turbocapitalist View Post
You can see what elevated privileges they are granted using "sudo -l"
As to settin what they can and can't do that is (mostly) done in /etc/sudoers

However, it is necessary to revisit the approach that you are trying:

It is a mistake to try to blacklist commands. A mischeivious or malevolent user could always make a local copy of a forbidden command but give the copy a new name and run sudo to elevate privileges on that new name. Thus blacklisting does not and cannot work in sudo. I'm not sure even why the syntax allows it. What you do need to set up is a whitelist in /etc/sudoers of the programs you actually do want to let them have access to.

About the file system privileges, those are something else, but easier. Consider mode 751 or 701 for /home or also even some home directories.

Can you go into a little more detail about what you want to allow and what you want to block?
With the config provided, they don't even need to go to the trouble of copying a command. The blacklist allows shell access, so a simple 'sudo -i' will allow the user to do anything they want, including every one of the blacklisted commands.

Blacklists can be useful for setting up exceptions for a whitelist, but they don't work in trying to implement a "everything except ..." scenario. For example, with a whitelist/blacklist, you could allow a user to reset user passwords, but not change the root password, or manage services except the network.
 
Old 06-21-2017, 07:11 AM   #17
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,655
Blog Entries: 3

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by sgrlscz View Post
For example, with a whitelist/blacklist, you could allow a user to reset user passwords, but not change the root password, or manage services except the network.
Ah, yes. I should be more specific. Blacklisting of users or groups can work but blacklisting commands cannot ever work.
 
Old 06-21-2017, 07:21 AM   #18
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
https://www.linuxquestions.org/quest...6/#post5720302 is my "go to" reference for sudo privs.
I should read it.
It's a bit "toothy" but "OM G.O.D" it is packed with Security Goodness.

Last edited by Habitual; 06-21-2017 at 07:22 AM.
 
Old 06-21-2017, 08:00 AM   #19
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: Slackware (current), FreeBSD, Win10, It varies
Posts: 9,952

Rep: Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148Reputation: 2148
Quote:
Originally Posted by nippon View Post
It is fascinating that even as things change, and everything gets easier, there hasn't been a tool that can effectively list out permissions and allow one to choose what a "sudo" user can and can't do.
I believe you see it like that because you are wanting to you sudo for something other then what it is intended for. as one already pointed out Access Control Lists (ACL) was developed for restricting control, where sudo was developed for giving control.

out of the gate:
ACL says you can do this and this and this, but not this.
whereas sudo says you can do everything.

Last edited by BW-userx; 06-21-2017 at 08:05 AM.
 
Old 06-21-2017, 05:28 PM   #20
nippon
LQ Newbie
 
Registered: Jun 2017
Posts: 8

Original Poster
Rep: Reputation: Disabled
Thank you all !!!

It has been quite a learning experience for me a I have never encountered a situation such as the one I'm trying to address.

While there are tools like Jumpcloud, Userify (which is what we have been using for a while) and others that makes managing SSH access easier for remote teams, they either don't have the ability to assign permission levels on a group of systems to a group of users or planning to release in the future to make group management easier.

It would have been easier with one or two boxes, but these are 100s of servers with multiple accounts being created each day.

For now, I have decided not to proceed with the "sudo" access until I figure out the best way to get this accomplished.

Again, thank you so much for each and every contribution.

Last edited by nippon; 06-21-2017 at 05:32 PM.
 
Old 06-21-2017, 07:32 PM   #21
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,910

Rep: Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512
Quote:
Originally Posted by dejank View Post
If you want to exclude commands from certain users, think that you can put exclamation mark in front of command, but never used it personally. Something like this:

Code:
%halfadmin ALL = !/bin/rpm, !/usr/bin/up2date, !/usr/bin/yum
where halfadmin is name of group for those you want to have restricted use of sudo.
The problem with that is that you ALSO have eliminate any commands that may grant access... such /bin/sh. /bin/vi, /bin/awk, ....

Which makes your restriction useless.
 
Old 06-21-2017, 07:43 PM   #22
nippon
LQ Newbie
 
Registered: Jun 2017
Posts: 8

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
The problem with that is that you ALSO have eliminate any commands that may grant access... such /bin/sh. /bin/vi, /bin/awk, ....

Which makes your restriction useless.
Hello jpollard.
If you are to do this (generically-speaking), which of these commands would you grant access and which would you restrict?

Thanks!
 
Old 06-22-2017, 03:12 AM   #23
dejank
Member
 
Registered: May 2016
Location: Belgrade, Serbia
Distribution: Debian
Posts: 229

Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
The problem with that is that you ALSO have eliminate any commands that may grant access... such /bin/sh. /bin/vi, /bin/awk, ....

Which makes your restriction useless.
All right, have you tried to make user with those restrictions above and then to run, for example vi?
 
Old 06-22-2017, 04:38 AM   #24
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,910

Rep: Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512
Quote:
Originally Posted by dejank View Post
All right, have you tried to make user with those restrictions above and then to run, for example vi?
Vi can start a shell... or any command directly. So "sudo vi" permits bypassing any restrictions. As does any shell. You can even do python or perl...
 
Old 06-22-2017, 05:02 AM   #25
dejank
Member
 
Registered: May 2016
Location: Belgrade, Serbia
Distribution: Debian
Posts: 229

Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Vi can start a shell... or any command directly. So "sudo vi" permits bypassing any restrictions. As does any shell. You can even do python or perl...
Ahh, yes, thought that you've said that you will not be able to use vi with those restrictions. Yes, those restrictions can be bypassed in several ways, if group/user is granted full privileges and then restricted in something, like this:

Code:
%halfadmin ALL = ALL, !/bin/ls
As someone said, sudoers file is better suited for allowing someone to do something which requires root privileges, than to restrict someone.
 
Old 06-22-2017, 10:36 AM   #26
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,655
Blog Entries: 3

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Originally Posted by jpollard View Post
Vi can start a shell... or any command directly. So "sudo vi" permits bypassing any restrictions. As does any shell. You can even do python or perl...
For programs that can spawn shells, use NOEXEC in your sudoers specification to prevent escaping.

Code:
%halfadmin  ALL=(root:root) NOEXEC: /usr/bin/more, /usr/bin/less
However, for editors it is nearly always inappropriate to allow them to run privileged. Instead use sudoedit which is the same as sudo with the -e option. That runs the editor unprivileged but makes a copy of the file to be edited by the unprivileged account. When the editor exits, then the file edited by the unpriviledged account is copied over the original file. That way you avoid running the editor with privileges.
 
Old 06-22-2017, 10:46 AM   #27
cynwulf
Senior Member
 
Registered: Apr 2005
Location: Walsall, UK
Posts: 2,640
Blog Entries: 7

Rep: Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165Reputation: 2165
Quote:
Originally Posted by dejank View Post
If you want to exclude commands from certain users, think that you can put exclamation mark in front of command, but never used it personally. Something like this:

Code:
%halfadmin ALL = !/bin/rpm, !/usr/bin/up2date, !/usr/bin/yum
where halfadmin is name of group for those you want to have restricted use of sudo.
I'd strongly advise against using sudo exclusions. There are numerous (not to mention obvious) well known pitfalls in this unreliable method. Stick to traditional white-listing.

This was a presentation by Michael W Lucas (the author or "sudo Mastery):

https://www.bsdcan.org/2014/schedule...can%202014.pdf

Refer especially to page 91

Last edited by cynwulf; 06-22-2017 at 10:56 AM.
 
Old 06-22-2017, 01:59 PM   #28
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,910

Rep: Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512Reputation: 1512
Quote:
Originally Posted by Turbocapitalist View Post
For programs that can spawn shells, use NOEXEC in your sudoers specification to prevent escaping.

Code:
%halfadmin  ALL=(root:root) NOEXEC: /usr/bin/more, /usr/bin/less
However, for editors it is nearly always inappropriate to allow them to run privileged. Instead use sudoedit which is the same as sudo with the -e option. That runs the editor unprivileged but makes a copy of the file to be edited by the unprivileged account. When the editor exits, then the file edited by the unpriviledged account is copied over the original file. That way you avoid running the editor with privileges.
NOEXEC is a bit of help - it only works via a preload library. That library can still be bypassed.
Granted, it takes more effort.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo: effective uid is not 0, is sudo installed setuid root? awladnas Linux - Newbie 10 08-30-2014 06:03 PM
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 03:48 PM
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
Unable to redirect all sudo messages to /var/log/sudo driftwood Linux - Server 2 10-18-2012 04:34 AM
Problem with SUDO : sudo: pam_authenticate: Module is unknown cristoph_ Linux - Software 2 03-02-2009 07:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 02:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration