I tried that way too but it did not helped and more over... let me say this.. if the user copies the /usr/bin/passwd binary file to other location... he can execute that password..change...
All I am looking is in any means he should not execute the password... but he should be able to execute the rest all commands.
Looks like you have some kind of problem there. I tested this fully on my RHEL 6.2 box. It's working perfectly. Copying /usr/bin/passwd to another directory and executing does not even work in my case! What's going on in your Ubuntu box?
Here's the snippet in /etc/sudoers:
Here's what I tested:
Can you check /var/log/secure? Also, make sure that you are using visudo to edit /etc/sudoers file as it will show you syntax error. Recheck all of the aliases you created and make sure there's no colliding rule which permits the user to execute passwd as another.
Also, make sure that you are using visudo to edit /etc/sudoers file as it will show you syntax error.
I started 'visudo' first time after reading this thread and read it.
To apply the includedir directive I've uncommented the last line.
what a surprise - 'visudo' tells me there is a syntax error in this line! How to enable the includes?
---------- Post updated 28-02-12 at 08:56 AM ---------- Previous update was 27-02-12 at 11:07 AM ----------
Quote:
Originally Posted by spynappels
The simplest way is to make them log in as a user which does not have SUDO access.
I think additionally it's good to deny execution of 'su'.
Quote:
Originally Posted by admin_xor
By the way, allowing all commands and restricting only passwd does not even get closer to secure your cbttest account. For an example, user can run "sudo -u cbttest vi" and then in vi, they can press ESC and execute "!/bin/sh" to get a shell which will run with cbttest's privileges.
do you know of a list containing all usual commands installed with unix providing something like this (to block execution)?
do you know of a list containing all usual commands installed with unix providing something like this (to block execution)?
Emacs, Smitty in AIX, find (you run sudo find / -name "*" -exec rm -f '{}' \; and you blow up the system), PERL (you can run external commands with "system" function from a PERL script) etc. are the commonly used programs that should never be allowed to be executed through sudo with root privileges. There are myriad number of other programs/tools which are potentially dangerous when using with sudo (root permission).
Technically, I don't think you could do that. Once you get authenticated through SSH, you have all of the access you would have if you logged into the console of the machine. If that includes sudo, then you will have sudo access. Nothing can be done to block it (as far as my knowledge goes, but I could be wrong!).
includedir should always be preceded by #. It's like #include <stdin.h> in a C program
Here's what a RHEL sudoers file has to say:
If you need an idea about sudoers file and how to simulate RBAC with it, check my old post in this forum.
Last edited by admin_xor; 02-28-2012 at 07:02 PM..
Hi,
I wanted add a group to the sudoers file so they can run sudo commands and blocked su command but it seems they can just run sudo -i to switch to root which defeats my purpose.
Is it possible to block sudo -i with the help of sudoers file or any other way.
Please advise.
The below... (1 Reply)
I'm trying to use squid to restrict elinks' access to certain websites(only http traffic).
I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :)
---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Hi Dears,
I have one requirement like this:
general user A can execute command C with root privilege by sudo configuration
some folders and files are created during the command C execution
user A cannot access those folders and files because the owner is root user, so I want the user A... (0 Replies)
Hi,
How to restrict access to a .ksh script in such the way that the users can only execute the script, neither read nor write.
I tried the below code so that my user alone has the rwx and other users can only execute.
chmod 711 sample.ksh
But when I logged in as a different user... (26 Replies)
Hi there
I have an application user on my system that wants accesses to these file systems as such:
rwx:
/SAPO
/SAPS12
/R3_888
/R3_888B
/R3_888F
/R3_888R
r:
/usr/sap
these are the existing FS permissions:ownerships:
# ls -ld /SAPO (9 Replies)
Hi Everybody,
If there is a general NFS share in the LAN and for example this share has three files - a, b, c is there any way to restrict file access to the root user of one particular host(falcon) in the same LAN environment while the normal users from the same host(falcon) should be able... (4 Replies)
Hi
I have requirement to create 3 new users on my server but to restrict their access to a set of particular folders.
/export/home/kapil/shared,
/export/home/kapil/shared/Folder1
/export/home/kapil/shared/Folder2
These folders should be accessible to all the 3 users and to me too.... (1 Reply)
Hi All!
I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses).
OS : Red hat linux
Thanks!
nua7 (6 Replies)
Hello!
Does anyone know if it's possible to restrict access to apache webserver with certificates?
What I want is that if a user has a certificate in his browser then he get's access, if not show error or another page.
I would be very happy if someone knew!
/D (2 Replies)