LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-30-2014, 05:18 PM   #1
kamran.ayub
Member
 
Registered: Jan 2012
Posts: 72

Rep: Reputation: Disabled
sudoers problem


Dear All,

I have setup a user group in sudoers to allow some specific commands.
Commands allowed to the group are running fine. I have not allowed to run service command or /etc/init.d/service command.
But that user can run /etc/init.d/service status command.

How can I restrict that user to not run /etc/init.d/asterisk command.

User_Alias DGS = john,johny
DGS ALL= NOPASSWD: /bin/date, /usr/bin/tail, /usr/bin/tailf, /bin/ls*, /bin/grep*, /bin/cat*, /usr/bin/find*, /usr/sbin/mtr, /usr/bin/less, /usr/bin/more, !/etc/rc.d/init.d/asterisk

In last I have write !/etc/rc.d/init.d/asterisk but not restricting it in centos.

Please suggest the solution.

regards,
kamran
 
Old 10-30-2014, 06:17 PM   #2
kamran.ayub
Member
 
Registered: Jan 2012
Posts: 72

Original Poster
Rep: Reputation: Disabled
Please help.

I just want to block access for following command for user group DGS defined in sudoers file.

/etc/init.d/asterisk status

How to block this access in sudoers.
 
Old 10-30-2014, 06:30 PM   #3
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS,Manjaro
Posts: 5,433

Rep: Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635
Testing...

Question: can a normal user (not in the target group) run that command WITHOUT sudo?
If they can, then sudo is not giving the permission and changing the sudo configuration will not help you.

Make sure the init files belong to root, and have permissions likie 700 and see if that does the job for you.
 
Old 10-30-2014, 06:44 PM   #4
kamran.ayub
Member
 
Registered: Jan 2012
Posts: 72

Original Poster
Rep: Reputation: Disabled
Dear wpeckham,

Yes you are right. I have tried with a normal bash user and it can run the command.
But I can't set permissions to /etc/init.d/asterisk to 700 becuase it may impact my production time.
Is there any other way to sort this out.
Current permissions are as below:

#ls -al /etc/init.d/asterisk
-rwxr-xr-x 1 root root 4187 Oct 1 05:18 /etc/init.d/asterisk

Regards,
Kamran
 
Old 10-31-2014, 05:52 AM   #5
Valery Reznic
ELF Statifier author
 
Registered: Oct 2007
Posts: 676

Rep: Reputation: 137Reputation: 137
Quote:
Originally Posted by kamran.ayub View Post
Dear All,

I have setup a user group in sudoers to allow some specific commands.
Commands allowed to the group are running fine. I have not allowed to run service command or /etc/init.d/service command.
But that user can run /etc/init.d/service status command.

How can I restrict that user to not run /etc/init.d/asterisk command.

User_Alias DGS = john,johny
DGS ALL= NOPASSWD: /bin/date, /usr/bin/tail, /usr/bin/tailf, /bin/ls*, /bin/grep*, /bin/cat*, /usr/bin/find*, /usr/sbin/mtr, /usr/bin/less, /usr/bin/more, !/etc/rc.d/init.d/asterisk

In last I have write !/etc/rc.d/init.d/asterisk but not restricting it in centos.

Please suggest the solution.
It

regards,
kamran
It is not related to your question, but anyway...
In your sudoers file you specified among other things find, less and more.
Find and less ( may be more too) able to execute arbitrary commands.
So, allowing using those commands are effectively the same as allowing full root access.
If you really need to those command yiu may want to consider sudoers' noexec specifier
to close this hole.

Valery
 
Old 10-31-2014, 08:01 AM   #6
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS,Manjaro
Posts: 5,433

Rep: Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635Reputation: 2635
700 in /etc/init.d (/etc/rc.d/init.d)

The init files nromally need to be run as root on startup anyway. Restricting them only removes the ability of non-root users to get status information, which appears exactly what you want.

I am not saying there will be no unintended consequences, but they should be non-fatal.

Why not try this with one or two that you want to lock down. If those cause no issues, move on to one or two more.

Last edited by wpeckham; 10-31-2014 at 08:02 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora /etc/sudoers file and sudoers.d directory davejjj Linux - Newbie 2 10-21-2011 07:19 PM
/etc/sudoers problem john83reuben Linux - Newbie 1 04-13-2008 08:19 AM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 06:03 PM
Sudoers problem hinetvenkat Linux - Security 3 05-14-2005 12:47 PM
sudoers problem kzar Linux - General 5 12-09-2004 05:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration