Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-30-2014, 05:18 PM
|
#1
|
Member
Registered: Jan 2012
Posts: 72
Rep:
|
sudoers problem
Dear All,
I have setup a user group in sudoers to allow some specific commands.
Commands allowed to the group are running fine. I have not allowed to run service command or /etc/init.d/service command.
But that user can run /etc/init.d/service status command.
How can I restrict that user to not run /etc/init.d/asterisk command.
User_Alias DGS = john,johny
DGS ALL= NOPASSWD: /bin/date, /usr/bin/tail, /usr/bin/tailf, /bin/ls*, /bin/grep*, /bin/cat*, /usr/bin/find*, /usr/sbin/mtr, /usr/bin/less, /usr/bin/more, !/etc/rc.d/init.d/asterisk
In last I have write !/etc/rc.d/init.d/asterisk but not restricting it in centos.
Please suggest the solution.
regards,
kamran
|
|
|
10-30-2014, 06:17 PM
|
#2
|
Member
Registered: Jan 2012
Posts: 72
Original Poster
Rep:
|
Please help.
I just want to block access for following command for user group DGS defined in sudoers file.
/etc/init.d/asterisk status
How to block this access in sudoers.
|
|
|
10-30-2014, 06:30 PM
|
#3
|
LQ Guru
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 6,059
|
Testing...
Question: can a normal user (not in the target group) run that command WITHOUT sudo?
If they can, then sudo is not giving the permission and changing the sudo configuration will not help you.
Make sure the init files belong to root, and have permissions likie 700 and see if that does the job for you.
|
|
|
10-30-2014, 06:44 PM
|
#4
|
Member
Registered: Jan 2012
Posts: 72
Original Poster
Rep:
|
Dear wpeckham,
Yes you are right. I have tried with a normal bash user and it can run the command.
But I can't set permissions to /etc/init.d/asterisk to 700 becuase it may impact my production time.
Is there any other way to sort this out.
Current permissions are as below:
#ls -al /etc/init.d/asterisk
-rwxr-xr-x 1 root root 4187 Oct 1 05:18 /etc/init.d/asterisk
Regards,
Kamran
|
|
|
10-31-2014, 05:52 AM
|
#5
|
ELF Statifier author
Registered: Oct 2007
Posts: 676
Rep:
|
Quote:
Originally Posted by kamran.ayub
Dear All,
I have setup a user group in sudoers to allow some specific commands.
Commands allowed to the group are running fine. I have not allowed to run service command or /etc/init.d/service command.
But that user can run /etc/init.d/service status command.
How can I restrict that user to not run /etc/init.d/asterisk command.
User_Alias DGS = john,johny
DGS ALL= NOPASSWD: /bin/date, /usr/bin/tail, /usr/bin/tailf, /bin/ls*, /bin/grep*, /bin/cat*, /usr/bin/find*, /usr/sbin/mtr, /usr/bin/less, /usr/bin/more, !/etc/rc.d/init.d/asterisk
In last I have write !/etc/rc.d/init.d/asterisk but not restricting it in centos.
Please suggest the solution.
It
regards,
kamran
|
It is not related to your question, but anyway...
In your sudoers file you specified among other things find, less and more.
Find and less ( may be more too) able to execute arbitrary commands.
So, allowing using those commands are effectively the same as allowing full root access.
If you really need to those command yiu may want to consider sudoers' noexec specifier
to close this hole.
Valery
|
|
|
10-31-2014, 08:01 AM
|
#6
|
LQ Guru
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS, Manjaro
Posts: 6,059
|
700 in /etc/init.d (/etc/rc.d/init.d)
The init files nromally need to be run as root on startup anyway. Restricting them only removes the ability of non-root users to get status information, which appears exactly what you want.
I am not saying there will be no unintended consequences, but they should be non-fatal.
Why not try this with one or two that you want to lock down. If those cause no issues, move on to one or two more.
Last edited by wpeckham; 10-31-2014 at 08:02 AM.
|
|
|
All times are GMT -5. The time now is 01:44 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|