Disable switching to root alternatives | Unix Linux Forums | Linux

  Go Back    


Linux RedHat, Ubuntu, SUSE, Fedora, Debian, Mandriva, Slackware, Gentoo linux, PCLinuxOS. All Linux questions here!

Disable switching to root alternatives

Linux


Closed Thread    
 
Thread Tools Search this Thread Display Modes
    #1  
Old 01-17-2013
jabalv jabalv is offline
Registered User
 
Join Date: Sep 2011
Last Activity: 6 July 2014, 3:15 PM EDT
Posts: 17
Thanks: 4
Thanked 1 Time in 1 Post
Disable switching to root alternatives

Hello!

Do anyone have idea how to block switching to root if user have full sudo?

One way is in sudoers file block use of "su", but still it`s possible with sudo -i or sudo -s , sudo bash etc.
Other way is create alias on sudoers and permit only specific commands for user.

Any ideas?
Sponsored Links
    #2  
Old 01-17-2013
Tommyk Tommyk is offline
Registered User
 
Join Date: Aug 2011
Last Activity: 24 September 2014, 7:12 AM EDT
Location: Ripon, North Yorkshire
Posts: 146
Thanks: 4
Thanked 14 Times in 14 Posts
From experience of this situation i would in every case advise to create a command alias for a user to only use sudo for those specific commands and add each command as necessary (obviously dont add commands like su,sh,bash,ksh,visudo,passwd). Much better to have a secure server than give full access to a user and firefight in response to his attempts at gaining root.
Sponsored Links
    #3  
Old 01-17-2013
bakunin bakunin is offline Forum Staff  
Bughunter Extraordinaire
 
Join Date: May 2005
Last Activity: 30 September 2014, 9:00 PM EDT
Location: In the leftmost byte of /dev/kmem
Posts: 4,267
Thanks: 45
Thanked 820 Times in 647 Posts
Quote:
Originally Posted by jabalv View Post
Do anyone have idea how to block switching to root if user have full sudo?
I don't quite get it: why does the user have "full sudo" (i assume this to mean he can use every command) if he should not be allowed to become root?

If you don't want someone to utilize "full sudo", then just don't give hime "full sudo". If you get into a situation where you have no other choice than to do that you probably have made a serious error in your rights concept long ago. I suggest you reconsider/redo this instead of patching your environment into something which "almost looks like working".

If you bake a cake and you have forgotten the backery improver, you probably end up with a thing of the consistency of a stone. To grind this thing down to powder, add water and the forgotten bakery improver and expecting this to bake to a (tasting) cake is similarly doomed to disenthrall your expectancies. The only way is to start over and do it right this time.

I hope this helps.

bakunin
    #4  
Old 01-17-2013
Corona688 Corona688 is offline Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 30 September 2014, 7:25 PM EDT
Location: Saskatchewan
Posts: 19,479
Thanks: 795
Thanked 3,286 Times in 3,081 Posts
You cannot prevent root from being root.

If you don't want someone to abuse root, don't give them root.
Sponsored Links
    #5  
Old 01-17-2013
bitlord bitlord is offline
Registered User
 
Join Date: Mar 2010
Last Activity: 29 September 2014, 11:53 AM EDT
Posts: 333
Thanks: 12
Thanked 41 Times in 39 Posts
To control sudo you must edit the suders file. You can also control who can use sudo by only letting users in certain groups use sudo.
To edit sudo you run this command as root.

Code:
visudo

You will have to edit the file to give less rights to a user who can use sudo. Commonly in Linux the wheel group has access to sudo. If you don't want them to have sudo, remove them from the wheel group.
Sponsored Links
    #6  
Old 01-19-2013
jabalv jabalv is offline
Registered User
 
Join Date: Sep 2011
Last Activity: 6 July 2014, 3:15 PM EDT
Posts: 17
Thanks: 4
Thanked 1 Time in 1 Post
Hi,

Thanks for answers.

Full sudo is for server administrators, but sometimes there are some people who don`t understand what they are doing or just making mistakes.
Also other thing is that, root activities are not logged, but sudo activities are logged under /var/log/secure. How to fight against it?
Sponsored Links
    #7  
Old 01-19-2013
bakunin bakunin is offline Forum Staff  
Bughunter Extraordinaire
 
Join Date: May 2005
Last Activity: 30 September 2014, 9:00 PM EDT
Location: In the leftmost byte of /dev/kmem
Posts: 4,267
Thanks: 45
Thanked 820 Times in 647 Posts
Quote:
Originally Posted by jabalv View Post
Full sudo is for server administrators, but sometimes there are some people who don`t understand what they are doing or just making mistakes.
These shouldn't be server administrators at all! Admins should only be a VERY FEW select people who have proven their skill, everything else is just plain dangerous.

Quote:
Originally Posted by jabalv View Post
Also other thing is that, root activities are not logged, but sudo activities are logged under /var/log/secure. How to fight against it?
This is a no-brainer: start an interactive program as root which allows a shell escape and then do a shell escape - you have a root shell. For instance: "sudo vi", enter ":!sh" and you have a root shell. What one does inside this shell (and even that he opened the shell) is not seen at all in "/var/log/secure". Or one can trim the file after doing something, because root has write access to the log.

It is an old proverbial truth that root can circumvent absolutely any security mechanism as long as it is server-based. The only thing you can do is to log outside of the area of roots control: on another system, where root is not allowed to become root. See the man page of "syslog" for the possibility to do the logging over the network to a remote system.

I hope this helps.

bakunin
The Following User Says Thank You to bakunin For This Useful Post:
jabalv (01-24-2013)
Sponsored Links
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
How to disable root login (Not over SSH)? pinga123 UNIX for Dummies Questions & Answers 2 11-26-2010 04:27 AM
how to disable su root islam.said UNIX for Dummies Questions & Answers 6 02-23-2010 08:11 AM
Disable root for AIX 5.2 james0125 UNIX for Dummies Questions & Answers 0 10-31-2008 04:05 PM
switching between root and a normal user melanie_pfefer Shell Programming and Scripting 3 04-21-2007 07:02 AM
Disable Root Console login SmartJuniorUnix UNIX for Dummies Questions & Answers 2 09-25-2000 01:08 PM



All times are GMT -4. The time now is 01:58 AM.