Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh.
Is there a way to allow users to run anything they want except shells. I realise this is a default permit which inherently is defective, but I'm not convinced that going through the 1559 executable commands of my (as yet incomplete) built system to decided on the likely 1000+ commands I would want to be genuinely allowed.
As I said this is for system administrators first, and I'd like to forcibly instil the habit of sudo <command> or using rootsh to get an audited shell. But I know people are already not doing enough sudo <command> as it stands, rather they switch to bash, but any auditing would help.
Any strategies or settings I'm just not seeing?
For reference this is on RHEL6 with sudo 1.7.2p2-9.el6.x86_64
Sorry, how should i make them a member? You mean chown root:root ... but that doesn't seem right because:
Code:
[root@pomelo chakkerz]# ls -l /bin/bash
-rwxr-xr-x. 1 root root 943248 Jun 23 2010 /bin/bash
And I don't see anything in the default /etc/sudoers file that appears relevant either ... well there is the User_Alias and Cmnd_Alias stuff .. but that doesn't seem entirely relevant...
Can you give me more detail please?
Thanks for the Alias comment ... i was going to forget that.
Oh, sorry 'bout that, I meant to say the "wheel" group.
Then only members of the wheel group have access
Without a gui it's a bit hard to everything at once, but you may dictate which shell (bash, csh, zsh, etcetera etcetera) users have access to.
and from there you may be able to restrict users, but if you want everybody to have admin rights, it may be difficult to split them into categories/groups.
You may use the wheel group and sudo to do it. (I think
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.