Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The sudoers file is where you can configure access to run commands as root. You should use visudo to edit this file, however I don't know any way of restricting this to a date and time period.
What you could do is restrict the user account at logon level, but remember this would prevent access to the system for this user outside of the time allocated.
Alternatively you could script something through cron, but remember to keep a safe copy of your original sudoers file.
I don't know of an elegant way to do this either, but...
If this is a one-time deal, you could probably keep two (working) copies of sudoers -- #1 is the original sudoers file, and #2 is the sudoers file with the user appropriately configured. Then create an at(1) job that replaces #1 with #2 at a certain time. And create another at(1) job that replaces #2 with #1. Simple enough concept, but you'll want to test it very thoroughly, and build in some intelligent error handling and notification if things go wrong.
If your script-fu is no good, then you probably shouldn't do this.
Yeah, that's what I thought of as well. Here's a shell script example. Untested and kind of crude, so YMMV(VM):
Code:
#!/bin/bash --
# Source file
SUDOERS=/etc/sudoers
# No source
[ -f ${SUDOERS} ] || { logger "No ${SUDOERS}. Exiting."; exit 1; }
# Bad original
visudo -c ${SUDOERS} > /dev/null || { logger "Bad ${SUDOERS}. Exiting."; exit 1; }
# Replacement
REPLACEMENT=/etc/sudoers.temporary
# No replacement
[ -f ${REPLACEMENT} ] || { logger "No ${REPLACEMENT}. Exiting."; exit 1; }
# Bad replacement
visudo -c ${REPLACEMENT} > /dev/null || { logger "Bad ${REPLACEMENT}. Exiting."; exit 1; }
# Backup file
BACKUP=/etc/.sudoers.$(date +%Y%m%d_%H%M)
# Got any?
find /etc -maxdepth 1 -type f -name .sudoers.\*|xargs -iS logger "Got 'S'"
function wax() {
case "$1" in
on) [ -z "${ATTRIB[3]}" ] || chcon ${ATTRIB[3]} $2; [ -z ${XATTR} ] || chattr =${XATTR} $2 ;;
off) [ -z ${XATTR} ] || chattr -${XATTR} $2 ;;
esac
}
# Record attributes
HASH=($(sha1sum ${SUDOERS})); HASH=${HASH[0]}
ATTRIBS=($(stat -c "%a %u %g %C" ${SUDOERS})); m=${ATTRIB[0]}; u=${ATTRIB[1]}; g=${ATTRIB[2]}
XATTR=$(lsattr ${SUDOERS}); XATTR=${XATTR[0]}; XATTR=${XATTR//-/}
function doStuff() { # Backup, install replacement
install ${SUDOERS} -m $m -u $u -g $g ${BACKUP} | { logger "Backup failed. Exiting."; exit 1; }
wax on ${BACKUP}
wax off ${SUDOERS}
install ${REPLACEMENT} -m $m -u $u -g $g ${SUDOERS} \
|| { logger "Install failed. Exiting."; sha1sum ${SUDOERS} | grep -q "${HASH}" \
|| { install ${BACKUP} -m $m -u $u -g $g ${SUDOERS}; wax on ${SUDOERS}; }; exit 1; }
wax on ${SUDOERS}
} # End doStuff
function unDoStuff() { # OK, so the attribs could be wrong...
select FILE in quit $(find /etc -type f -name .sudoers.\* -printf "%C@ %p (%a)\n"|sort -k1|cut -d ' ' -f 2-|tr ' ' '_');
do case "$FILE" in quit) return;; *) echo "Replacing with ${FILE//_*/}"; install ${FILE//_*/} -m $m -u $u -g $g \
${SUDOERS}; wax on ${SUDOERS}; return;; esac; done
} # End unDoStuff
# Here's where we actually *do* stuff...
case "$1" in
undo|restore) unDoStuff;;
-*|help|warranty) echo "Doh..."; exit 127;;
*) doStuff;;
esac
# Farewell check
visudo -c ${SUDOERS} > /dev/null || logger "Bad ${SUDOERS}: SOL."
exit 0
Run without arguments as 'at -f /this/file $TIMESPEC' to queue, run with argument "undo" or "restore" *should* give you a chance to replace the, ahh, replacement. Again YMMV(VM).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.