sudo: limiting activity to the localhost

Cenobite · 02-27-2006, 03:04 AM

Firstly I wish to apologise if this question appears (and is solved) elsewhere on these forums, though I couldn't really find anything that tackles my specific problem.

I'm setting up a Linux server (Slackware 10.2) to which various dumb terminals connect via telnet. I've set it up so that only a specific non-root user (called "unisolv") is allowed to halt and reboot the server. I want this to only be allowed from the physical terminal, to negate the possibility that a user from one of the dumb terminals is able to shutdown the machine at will.

My /etc/sudoers file follows: (hostname = "jupiter")

Code:

Defaults requiretty
Defaults lecture=never

Host_Alias SERVER = jupiter

root   ALL=(ALL) ALL

%wheel   ALL=(ALL)ALL

# Allow user unisolv (only on localhost) to execute
# the following commands without requiring passwd.
unisolv SERVER = NOPASSWD:/sbin/shutdown -h,/sbin/shutdown -r

The problem is, the commands are executable from both the localhost aswell as remotely via telnet. I've tried changing the "SERVER" Host_Alias variable to the address on the local net (192.168.0.23) but the problem persists. When changing the same value to "localhost", I am not allowed to execute the commands, even from the local host.

"localhost" exists in /etc/hosts as 127.0.0.1 and is fully pingable.

To recap, what I want is for the shutdown command to be run through sudo by the user unisolv, but only on the physical localhost and NOT remotely via telnet etc.

Any help on this issue would be greatly appreciated.

unSpawn · 02-28-2006, 09:13 AM

Check out "man sudoers" under Defaults for "requiretty", then look under Examples on how to add this to your user/command.

Cenobite · 03-02-2006, 03:32 AM

As noted above, I do have Defaults requiretty set.

I've also tried: Defaults@SERVER requiretty
And even: Defaults !!requiretty

None of this seems to help me, a user telnetting in under that username
is stil able to run the commands which I want to limit to the localhost.

Thanks in advance.

unSpawn · 03-02-2006, 08:06 AM

As noted above, I do have Defaults requiretty set.
Sorry. Overlooked that.

OK, I tried the "requiretty" myself, and according to how it should work this isn't a workable solution. A workaround could involve using a tty-checking wrapper script for the shutdown command. It is a weak solution because it requires more modifications to the system than it's worth IMHO. A much better and easier workaround exists: the only requirements are the user "unisolv" only has one sudo command (shutdown) (else you will have to move that command to a unique username that only will perform that one command) and you use PAM (and have PAM listfile module installed). I use it a lot to cover all kind of PAM-ified access like ssh (I don't need no DenyUsers), sudo etc etc. Add the allowed tty's to /etc/pam.d/sudo.tty. Open /etc/pam.d/sudo and add this line: "auth required pam_listfile.so item=tty sense=allow file=/etc/pam.d/sudo.tty onerr=fail apply=unisolv" in the "auth" section (above account). To check ssh to this box with the "unisolv" account and issue "sudo -l". You should see in the logs that because it has a pseudotty assigned any sudo command should fail. Works for me, but as always YMMV(VM). If anyone has a more secure or "better" solution or any additions I'd like to hear that.

Cenobite · 03-02-2006, 11:27 AM

Thanks for your assistance, unSpawn! I'll give PAM a try and check my mileage, however I'm also keen to find out if anyone else has a working solution for this.

I've been struggling with this (work-related) little problem for a while now, and at this stage I'm willing to try any old hack, no matter how greasy it is