Login or Register to Ask a Question and Join Our Community


Solaris

Sudo -s restriction

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Sudo -s restriction
# 1  
Old 01-05-2016
Sudo -s restriction
Is there a way to stop users envoking a root shell with sudo on Solaris 10.

I want users to use sudo <cmd> but not sudo -s
# 2  
Old 01-05-2016
Unless you really limit what command that is, there are many clever ways to invoke a shell. Many users would sudo su or sudo bash, but you can even sudo vi and invoke a shell.

man 5 sudoers has many examples to help limit commands to sudoers
# 3  
Old 01-05-2016
I can see commands with sudoreplay. However, some users are using a shell and I'm loosing the command history.

Luke's being sneaky and vader is playing nice in example below.

Code:
 vader@log > sudo sudoreplay -l user luke
Dec 29 11:46:28 2015 : luke : TTY=/dev/pts/5 ; CWD=/export/home/luke ; USER=root ; TSID=00000O ; COMMAND=/usr/bin/ksh
vader@log > sudo sudoreplay -l user vader
Jan  5 17:28:27 2016 : vader: TTY=/dev/pts/4 ; CWD=/var/log ; USER=root ; TSID=00001S ; COMMAND=/usr/bin/cat /etc/syslog
Jan  5 17:28:32 2016 : vader: TTY=/dev/pts/4 ; CWD=/var/log ; USER=root ; TSID=00001T ; COMMAND=/usr/bin/cat syslog
vader@log >

# 4  
Old 01-05-2016
From the manual:

Code:
Cmnd_Alias	SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
			 /usr/local/bin/tcsh, /usr/bin/rsh,\
			 /usr/local/bin/zsh

%wheel ALL = ALL, !SHELLS

This should help the casual sneaky. You'd need to makes changes though depending on what your /etc/sudoers looks like now and what shells you've available.
This User Gave Thanks to neutronscott For This Post:
u20sr
# 5  
Old 01-05-2016
Works perfectly - thanks.
# 6  
Old 01-05-2016
And if you're THAT concerned with knowing what users with root access are doing, you probably should consider taking the time to set up auditing and maybe even RBAC.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Discussion started by: fluoborate
9 Replies

2. UNIX for Dummies Questions & Answers

Create a new user with restriction

Hello, I would to create a new user with some restriction: 1. The user will not be able to CD any directory (I mean he'll login to the defined home directory and that's all). 2. The user will not be able to delete anything in that home directory Thanks a lot in advance, Shahar (1 Reply)
Discussion started by: shaharoz
1 Replies

3. AIX

Print queue restriction

Hi, I'm at AIX 5.3, I have a print queue named chqprinter, I want to allow access to print only 2 users to that print queue, jobs printed by all other users to above queue should be deleted. Any idea how to achieve that? ---------- Post updated at 10:33 AM ---------- Previous update was at... (5 Replies)
Discussion started by: tayyabq8
5 Replies

4. UNIX for Advanced & Expert Users

User restriction

Dear All I had one user called msc. In that i had two folder.xxx and yyy ex: /home/msc/xxx ex: /home/msc/yyy Now i want that msc user only able to access xxx folder only. No other folder should be visible to it. Kindly let me know. How it possile?? Regards Jaydeep (3 Replies)
Discussion started by: jaydeep_sadaria
3 Replies

5. AIX

user session restriction

hi, I am facing a problem from the remote system if i login to my AIX5.3 machine as root (thru telnet) the session does not expire for 2 hours even if the session is kept ideal But whenever i do the same thing from some other user then the session is lost within 10 minutes (if session is kept... (2 Replies)
Discussion started by: pchangba
2 Replies

6. AIX

user session restriction

I want to restrict user's loging according to number of session. example the user named "patrik" can be login concurrently from 12 stations thru telnet the 13th if some body tries to telnet 13th session it should not allow, until any of the 12 sessions are closed. is it possibel ...i think... (2 Replies)
Discussion started by: pchangba1
2 Replies

7. Solaris

FTP Restriction

I have a senario and i wonder how to do it ? i used NcFTPd and i dont think its applicable using that application or i didnt know how to configure it. i want to have a user for FTP that user is only restricted to put and get from a certain directory and all sub-directories for that directory,... (0 Replies)
Discussion started by: mduweik
0 Replies

8. UNIX for Advanced & Expert Users

Directory restriction warning

Platform: AIX Shell: KSH Does anyone have a good way of warning users that when they do a 'vi' in a certain directory that they cannot save any changes in that directory. For instance, if I have a production id that has all scripts in /myprod/dir, and if anyone comes to this directory and does... (1 Reply)
Discussion started by: giannicello
1 Replies

9. Filesystems, Disks and Memory

Restriction to User

Dear all, I am trying to create a new user account that can have the minimum access to the HP-Ux box, as in it only need to perform system info query like bdf and only able to read access system log files but not able to delete any file from any other directory beside it's own user directory... (5 Replies)
Discussion started by: gelbvonn
5 Replies

10. Shell Programming and Scripting

Restriction for more than one user

How do l restrict more than one users on a multiple programming environment using the c shell profile. That is if a user is log-on on one terminal the system should be able to prompt a message if the users attempt to log on on another terminal. I user openserver 5.0.4 with dummy terminals, and also... (7 Replies)
Discussion started by: kayode
7 Replies
Login or Register to Ask a Question