Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Sudo -s restriction
Operating Systems Solaris Sudo -s restriction Post 302963747 by neutronscott on Tuesday 5th of January 2016 12:47:44 PM
Old 01-05-2016
From the manual:

Code:
Cmnd_Alias	SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
			 /usr/local/bin/tcsh, /usr/bin/rsh,\
			 /usr/local/bin/zsh

%wheel ALL = ALL, !SHELLS

This should help the casual sneaky. You'd need to makes changes though depending on what your /etc/sudoers looks like now and what shells you've available.
This User Gave Thanks to neutronscott For This Post:
u20sr
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Restriction for more than one user

How do l restrict more than one users on a multiple programming environment using the c shell profile. That is if a user is log-on on one terminal the system should be able to prompt a message if the users attempt to log on on another terminal. I user openserver 5.0.4 with dummy terminals, and also... (7 Replies)
Discussion started by: kayode
7 Replies

2. Filesystems, Disks and Memory

Restriction to User

Dear all, I am trying to create a new user account that can have the minimum access to the HP-Ux box, as in it only need to perform system info query like bdf and only able to read access system log files but not able to delete any file from any other directory beside it's own user directory... (5 Replies)
Discussion started by: gelbvonn
5 Replies

3. UNIX for Advanced & Expert Users

Directory restriction warning

Platform: AIX Shell: KSH Does anyone have a good way of warning users that when they do a 'vi' in a certain directory that they cannot save any changes in that directory. For instance, if I have a production id that has all scripts in /myprod/dir, and if anyone comes to this directory and does... (1 Reply)
Discussion started by: giannicello
1 Replies

4. Solaris

FTP Restriction

I have a senario and i wonder how to do it ? i used NcFTPd and i dont think its applicable using that application or i didnt know how to configure it. i want to have a user for FTP that user is only restricted to put and get from a certain directory and all sub-directories for that directory,... (0 Replies)
Discussion started by: mduweik
0 Replies

5. AIX

user session restriction

I want to restrict user's loging according to number of session. example the user named "patrik" can be login concurrently from 12 stations thru telnet the 13th if some body tries to telnet 13th session it should not allow, until any of the 12 sessions are closed. is it possibel ...i think... (2 Replies)
Discussion started by: pchangba1
2 Replies

6. AIX

user session restriction

hi, I am facing a problem from the remote system if i login to my AIX5.3 machine as root (thru telnet) the session does not expire for 2 hours even if the session is kept ideal But whenever i do the same thing from some other user then the session is lost within 10 minutes (if session is kept... (2 Replies)
Discussion started by: pchangba
2 Replies

7. UNIX for Advanced & Expert Users

User restriction

Dear All I had one user called msc. In that i had two folder.xxx and yyy ex: /home/msc/xxx ex: /home/msc/yyy Now i want that msc user only able to access xxx folder only. No other folder should be visible to it. Kindly let me know. How it possile?? Regards Jaydeep (3 Replies)
Discussion started by: jaydeep_sadaria
3 Replies

8. AIX

Print queue restriction

Hi, I'm at AIX 5.3, I have a print queue named chqprinter, I want to allow access to print only 2 users to that print queue, jobs printed by all other users to above queue should be deleted. Any idea how to achieve that? ---------- Post updated at 10:33 AM ---------- Previous update was at... (5 Replies)
Discussion started by: tayyabq8
5 Replies

9. UNIX for Dummies Questions & Answers

Create a new user with restriction

Hello, I would to create a new user with some restriction: 1. The user will not be able to CD any directory (I mean he'll login to the defined home directory and that's all). 2. The user will not be able to delete anything in that home directory Thanks a lot in advance, Shahar (1 Reply)
Discussion started by: shaharoz
1 Replies

10. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Discussion started by: fluoborate
9 Replies

LEARN ABOUT CENTOS

httpd_webalizer_script_selinux

httpd_webalizer_script_selinux(8)		       SELinux Policy httpd_webalizer_script			 httpd_webalizer_script_selinux(8)

NAME

       httpd_webalizer_script_selinux - Security Enhanced Linux Policy for the httpd_webalizer_script processes

DESCRIPTION

       Security-Enhanced Linux secures the httpd_webalizer_script processes via flexible mandatory access control.

       The httpd_webalizer_script processes execute with the httpd_webalizer_script_t SELinux type. You can check if you have these processes run-
       ning by executing the ps command with the -Z qualifier.

       For example:

       ps -eZ | grep httpd_webalizer_script_t

ENTRYPOINTS

       The httpd_webalizer_script_t SELinux type can be entered via the shell_exec_t, httpd_webalizer_script_exec_t, httpd_webalizer_script_exec_t
       file types.

       The default entrypoint paths for the httpd_webalizer_script_t domain are the following:

       /bin/d?ash,  /bin/zsh.*,  /bin/ksh.*, /usr/bin/d?ash, /usr/bin/zsh.*, /usr/bin/ksh.*, /bin/esh, /bin/mksh, /bin/sash, /bin/tcsh, /bin/yash,
       /bin/bash, /bin/fish, /bin/bash2, /usr/bin/esh, /usr/bin/sash, /usr/bin/tcsh, /usr/bin/yash, /usr/bin/fish,  /usr/bin/mksh,  /usr/bin/bash,
       /sbin/nologin, /usr/sbin/sesh, /usr/bin/bash2, /usr/sbin/smrsh, /usr/bin/scponly, /usr/sbin/nologin, /usr/libexec/sesh, /usr/sbin/scponlyc,
       /usr/bin/git-shell, /usr/libexec/git-core/git-shell

PROCESS TYPES

       SELinux defines process types (domains) for each process running on the system

       You can see the context of a process using the -Z option to ps

       Policy governs the access confined processes have to files.  SELinux httpd_webalizer_script policy is very flexible allowing users to setup
       their httpd_webalizer_script processes in as secure a method as possible.

       The following process types are defined for httpd_webalizer_script:

       httpd_webalizer_script_t

       Note:  semanage	permissive  -a	httpd_webalizer_script_t can be used to make the process type httpd_webalizer_script_t permissive. SELinux
       does not deny access to permissive process types, but the AVC (SELinux denials) messages are still generated.

BOOLEANS

       SELinux policy is customizable based on least access required.  httpd_webalizer_script policy is extremely flexible and has  several  bool-
       eans that allow you to manipulate the policy and run httpd_webalizer_script with the tightest access possible.

       If  you	want  to  deny	any  process  from ptracing or debugging any other processes, you must turn on the deny_ptrace boolean. Enabled by
       default.

       setsebool -P deny_ptrace 1

       If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default.

       setsebool -P domain_fd_use 1

       If you want to allow all domains to have the kernel load modules, you must turn on  the	domain_kernel_load_modules  boolean.  Disabled	by
       default.

       setsebool -P domain_kernel_load_modules 1

       If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default.

       setsebool -P fips_mode 1

       If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default.

       setsebool -P global_ssp 1

       If you want to allow httpd cgi support, you must turn on the httpd_enable_cgi boolean. Disabled by default.

       setsebool -P httpd_enable_cgi 1

       If you want to allow system to run with NIS, you must turn on the nis_enabled boolean. Disabled by default.

       setsebool -P nis_enabled 1

MANAGED FILES

       The SELinux process type httpd_webalizer_script_t can manage files labeled with the following file types.  The paths listed are the default
       paths for these file types.  Note the processes UID still need to have DAC permissions.

       httpd_webalizer_rw_content_t

COMMANDS

       semanage fcontext can also be used to manipulate default file context mappings.

       semanage permissive can also be used to manipulate whether or not a process type is permissive.

       semanage module can also be used to enable/disable/install/remove policy modules.

       semanage boolean can also be used to manipulate the booleans

       system-config-selinux is a GUI tool available to customize SELinux policy settings.

AUTHOR

       This manual page was auto-generated using sepolicy manpage .

SEE ALSO

       selinux(8), httpd_webalizer_script(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) , setsebool(8)

httpd_webalizer_script						     14-06-10					 httpd_webalizer_script_selinux(8)
All times are GMT -4. The time now is 11:09 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy