Login or Register to Ask a Question and Join Our Community


Ubuntu

Restrict SUDO Access

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Ubuntu Restrict SUDO Access
# 8  
Old 02-25-2012
-i option in sudo acts similar to "su - username" or login. It changes the environment to that of the user in question. So the UID and EUID will be that of the user you are trying to sudo to (cbttest). To system it's as if cbttest has logged in and it lets you execute the passwd command. Dangerous but this is the fact!!

---------- Post updated at 02:33 PM ---------- Previous update was at 02:21 PM ----------

By the way, allowing all commands and restricting only passwd does not even get closer to secure your cbttest account. For an example, user can run "sudo -u cbttest vi" and then in vi, they can press ESC and execute "!/bin/sh" to get a shell which will run with cbttest's privileges.

My opinion is to allow execute permission on very limited commands which they really need. Restrict vi, etc. commands which can give shell escape.
Last edited by admin_xor; 02-25-2012 at 03:23 PM.. Reason: typo
This User Gave Thanks to admin_xor For This Post:
daWonderer
# 9  
Old 02-25-2012
Thanks Will Do.

---------- Post updated at 09:39 PM ---------- Previous update was at 03:07 PM ----------

Admin,

I have tried the way you want me to do.

My Sudoers file
Code:
# User privilege specification
root    ALL=(ALL:ALL) ALL

alex    ALL=(cbttest:sytgrp) ALL, !/bin/rm

[alex@ubuntu] "/home/alex/Desktop"
$ whoami
alex
[alex@ubuntu] "/home/alex/Desktop"
$ ls -ltr /home/cbttest/sample_file.log
-rw-rw-r--  1 cbttest sytgrp   41 Feb 25 08:33 sample_file.log
[alex@ubuntu] "/home/alex/Desktop"
$ sudo -u cbttest  rm /home/cbttest/sample_file.log
[sudo] password for alex: *******
[alex@ubuntu] "/home/alex/Desktop"
$ ls -ltr /home/cbttest/sample_file.log
ls: sample_file.log: No such file or directory

So the file got deleted... as per the sudoers file it should fail to delete... but it deleted...

can you please advice.
Last edited by Scott; 02-26-2012 at 07:13 AM.. Reason: Code tags
# 10  
Old 02-26-2012
This is weird!
Can you post the sudoers file here? Just want to have a check why it's permitting such explicit denies.
# 11  
Old 02-27-2012
Quote:
Originally Posted by explorer007
Also I dont have any /var/log/secure*

Please advice
In Ubuntu Linux, this log is located in /var/log/auth.log
# 12  
Old 02-27-2012
may I add another question related to the thread title?

Is there a short and simple way to disable 'sudo' for connections created by 'ssh'?
# 13  
Old 02-27-2012
Quote:
Originally Posted by daWonderer
may I add another question related to the thread title?

Is there a short and simple way to disable 'sudo' for connections created by 'ssh'?
The simplest way is to make them log in as a user which does not have SUDO access.
# 14  
Old 02-28-2012
Quote:
Originally Posted by admin_xor
Also, make sure that you are using visudo to edit /etc/sudoers file as it will show you syntax error.
I started 'visudo' first time after reading this thread and read it.
To apply the includedir directive I've uncommented the last line.

what a surprise - 'visudo' tells me there is a syntax error in this line! How to enable the includes?

---------- Post updated 28-02-12 at 08:56 AM ---------- Previous update was 27-02-12 at 11:07 AM ----------

Quote:
Originally Posted by spynappels
The simplest way is to make them log in as a user which does not have SUDO access.
I think additionally it's good to deny execution of 'su'.

Quote:
Originally Posted by admin_xor
By the way, allowing all commands and restricting only passwd does not even get closer to secure your cbttest account. For an example, user can run "sudo -u cbttest vi" and then in vi, they can press ESC and execute "!/bin/sh" to get a shell which will run with cbttest's privileges.
do you know of a list containing all usual commands installed with unix providing something like this (to block execution)?
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Red Hat

Restrict sudo -i

Hi, I wanted add a group to the sudoers file so they can run sudo commands and blocked su command but it seems they can just run sudo -i to switch to root which defeats my purpose. Is it possible to block sudo -i with the help of sudoers file or any other way. Please advise. The below... (1 Reply)
Discussion started by: Jartan
1 Replies

2. UNIX for Dummies Questions & Answers

Restrict access

I'm trying to use squid to restrict elinks' access to certain websites(only http traffic). I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :) ---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Discussion started by: Birnbacher
1 Replies

3. Solaris

restrict sudo and chown in specified directory

Hi Dears, I have one requirement like this: general user A can execute command C with root privilege by sudo configuration some folders and files are created during the command C execution user A cannot access those folders and files because the owner is root user, so I want the user A... (0 Replies)
Discussion started by: crest.boy
0 Replies

4. Shell Programming and Scripting

Restrict access to .ksh scripts

Hi, How to restrict access to a .ksh script in such the way that the users can only execute the script, neither read nor write. I tried the below code so that my user alone has the rwx and other users can only execute. chmod 711 sample.ksh But when I logged in as a different user... (26 Replies)
Discussion started by: machomaddy
26 Replies

5. Red Hat

Restrict user access

Hi there I have an application user on my system that wants accesses to these file systems as such: rwx: /SAPO /SAPS12 /R3_888 /R3_888B /R3_888F /R3_888R r: /usr/sap these are the existing FS permissions:ownerships: # ls -ld /SAPO (9 Replies)
Discussion started by: hedkandi
9 Replies

6. UNIX for Dummies Questions & Answers

Restrict user access.

Hi All, How can we restrict a particular user access to a particular shell in solaris 10. Thanks in Advance. (5 Replies)
Discussion started by: rama krishna
5 Replies

7. Linux

Restrict NFS access to root

Hi Everybody, If there is a general NFS share in the LAN and for example this share has three files - a, b, c is there any way to restrict file access to the root user of one particular host(falcon) in the same LAN environment while the normal users from the same host(falcon) should be able... (4 Replies)
Discussion started by: sudhirav
4 Replies

8. UNIX for Advanced & Expert Users

Restrict Access to the folder

Hi I have requirement to create 3 new users on my server but to restrict their access to a set of particular folders. /export/home/kapil/shared, /export/home/kapil/shared/Folder1 /export/home/kapil/shared/Folder2 These folders should be accessible to all the 3 users and to me too.... (1 Reply)
Discussion started by: kapilk
1 Replies

9. UNIX for Advanced & Expert Users

Restrict access to specific users.

Hi All! I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses). OS : Red hat linux Thanks! nua7 (6 Replies)
Discussion started by: nua7
6 Replies

10. UNIX for Advanced & Expert Users

Apache restrict access with certificates

Hello! Does anyone know if it's possible to restrict access to apache webserver with certificates? What I want is that if a user has a certificate in his browser then he get's access, if not show error or another page. I would be very happy if someone knew! /D (2 Replies)
Discussion started by: Esaia
2 Replies
Login or Register to Ask a Question