LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-05-2010, 07:07 AM   #1
mikejreading
LQ Newbie
 
Registered: May 2009
Posts: 24

Rep: Reputation: 0
Smile sudo exceptions


Hi all,

I have set up the sodoers file to allow everyone in "group1" full sudo permissions without needing to enter their password.

Is there any way to allow users to perform everything except the shutdown command?
 
Old 11-05-2010, 08:30 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
It would be a waste of time to try.

You could try using the negation (!) in front of shutdown command but then they might use reboot, halt, init or other utilities to get around that. You could locate every single utility that has the effect of stopping the system and then they'd simply do something like "sudo vi" and type ":!/bin/bash" to get a shell prompt that would then allow them to bypass any sudo restriction because that shell prompt would be a root shell prompt.

You really should NOT give global access to all commands to anyone other than system administrators and those should be allowed to shutdown the server. You should spend time finding out exactly what this "group" needs and grant only those commands. Trying to grant all then exclude a few simply won't work. You also need to investigate any command you plan to give to the group to be sure it doesn't pose security issues that make putting it in sudo the same thing as giving them full root access (e.g. vi many other programs allow for shell prompts, chmod would allow them to create a file with setuid, etc...).
 
2 members found this post helpful.
Old 11-05-2010, 08:37 AM   #3
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
You should rethink that policy. Always require password. Whitelist commands rather than blacklist them. I know it is very tempting - but it means you have to guess every possible way to do the thing you don't want to happen.

If your whitelist is too restrictive, your admins will complain to start with and you can think about it and keep adding commands you think are OK to the list until they stop complaining.
What you want to define needs the logical not (!) in front of the command is sudoers.

Note: you don't need to create a special group for sudo access, the one called "wheel" already does this.

So you'll have a line like:

wheel ALL = (ALL) ALL, !/sbin/shutdown

Careful though - this is not actually going to stop anyone shutting the system down. From the man page:
Quote:
It is generally not effective to "subtract" commands from ALL using the '!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
The man page also has advise about handling shell escapes.

Really, if you trust your admins with total access like this, just ask them to please not shutdown the system.

Last edited by Simon Bridge; 11-05-2010 at 08:44 AM.
 
1 members found this post helpful.
Old 11-05-2010, 02:56 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by mikejreading
Is there any way to allow users to perform everything except the shutdown command?
Probably not. To add to the previous comments (including those about how vim(1), less(1), and others allow shell commands to be issued):

Code:
$ cat shut-it-down.sh 
#!/bin/sh

/sbin/shutdown -h now

exit 0

$ sudo ./shut-it-down.sh
Code:
$ sudo mv /sbin/shutdown /sbin/gotcha

$ sudo /sbin/gotcha -h now
 
1 members found this post helpful.
Old 11-05-2010, 06:15 PM   #5
mikejreading
LQ Newbie
 
Registered: May 2009
Posts: 24

Original Poster
Rep: Reputation: 0
Thanks for all the replies guys.

Having heard all of your thoughts I realise I was just doing a bit of lazy admin. I think the way forward is to see what the admins complain about..

Thanks guys :-)
 
Old 11-07-2010, 03:39 AM   #6
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Read the sudoers manual - at the bottom there are examples. It shows you how to set up an admin group alias, assign people to it, and assign commands for them. So, instead of giving all your admins access to the wheel (unix) group, put them in ADMIN in sudoers and just list allowed commands for them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The Ultimate Sudo FAQ To Sudo Or Not To Sudo? LXer Syndicated Linux News 13 04-13-2013 01:36 AM
Problem with SUDO : sudo: pam_authenticate: Module is unknown cristoph_ Linux - Software 2 03-02-2009 07:12 PM
Restricting Editing in Sudo (Advanced Sudo Question) LinuxGeek Linux - Software 4 11-04-2006 03:20 PM
Exceptions bianchi Programming 1 11-17-2005 08:36 PM
Regarding Exceptions eshwar_ind Programming 1 05-03-2005 12:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration