do you know of a list containing all usual commands installed with unix providing something like this (to block execution)?
Emacs, Smitty in AIX, find (you run sudo find / -name "*" -exec rm -f '{}' \; and you blow up the system), PERL (you can run external commands with "system" function from a PERL script) etc. are the commonly used programs that should never be allowed to be executed through sudo with root privileges. There are myriad number of other programs/tools which are potentially dangerous when using with sudo (root permission).
Code:
Is there a short and simple way to disable 'sudo' for connections created by 'ssh'?
Technically, I don't think you could do that. Once you get authenticated through SSH, you have all of the access you would have if you logged into the console of the machine. If that includes sudo, then you will have sudo access. Nothing can be done to block it (as far as my knowledge goes, but I could be wrong!).
Code:
what a surprise - 'visudo' tells me there is a syntax error in this line! How to enable the includes?
includedir should always be preceded by #. It's like #include <stdin.h> in a C program
Here's what a RHEL sudoers file has to say:
Code:
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
If you need an idea about sudoers file and how to simulate RBAC with it, check my old post in this forum.
Last edited by admin_xor; 02-28-2012 at 07:02 PM..
I am using a Red Hat Enterprise 5 Linux box. I find if a user is in /etc/sudoers file, then if the user run command with sudo, the user will run this command with root privilege (without knowing root password, the user runs sudo only need to input the user's own password in order to run a command with sudo). Is that correct understanding?
If yes, then is it a security hole? Since users other than root could run with root privilege?
Your understanding is correct, but this is not a security hole unless it is managed badly.
The root user decides who is added to the sudoers file, and also what commands this user can run as sudo. While often the user is given access to all commands and can sudo any of them, this does not have to be the case. It could be set up to only allow sudo access to a small number of commands or even just to one.
As the root user (administrator) has final control over who is added to the sudoers file and what permissions they are given, it is not a security hole if they're doing their job correctly.
As spynappels said, sudo does not create a security hole if /etc/sudoers is managed carefully. sudo has been used as industry standard although you have Role Based Access Control with SELinux (also RBAC in Solaris and AIX).
Just to make a point here that using sudo, not only you can delegate root privileges, but also you can do the same for any user account.
Hi,
I wanted add a group to the sudoers file so they can run sudo commands and blocked su command but it seems they can just run sudo -i to switch to root which defeats my purpose.
Is it possible to block sudo -i with the help of sudoers file or any other way.
Please advise.
The below... (1 Reply)
I'm trying to use squid to restrict elinks' access to certain websites(only http traffic).
I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :)
---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Hi Dears,
I have one requirement like this:
general user A can execute command C with root privilege by sudo configuration
some folders and files are created during the command C execution
user A cannot access those folders and files because the owner is root user, so I want the user A... (0 Replies)
Hi,
How to restrict access to a .ksh script in such the way that the users can only execute the script, neither read nor write.
I tried the below code so that my user alone has the rwx and other users can only execute.
chmod 711 sample.ksh
But when I logged in as a different user... (26 Replies)
Hi there
I have an application user on my system that wants accesses to these file systems as such:
rwx:
/SAPO
/SAPS12
/R3_888
/R3_888B
/R3_888F
/R3_888R
r:
/usr/sap
these are the existing FS permissions:ownerships:
# ls -ld /SAPO (9 Replies)
Hi Everybody,
If there is a general NFS share in the LAN and for example this share has three files - a, b, c is there any way to restrict file access to the root user of one particular host(falcon) in the same LAN environment while the normal users from the same host(falcon) should be able... (4 Replies)
Hi
I have requirement to create 3 new users on my server but to restrict their access to a set of particular folders.
/export/home/kapil/shared,
/export/home/kapil/shared/Folder1
/export/home/kapil/shared/Folder2
These folders should be accessible to all the 3 users and to me too.... (1 Reply)
Hi All!
I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses).
OS : Red hat linux
Thanks!
nua7 (6 Replies)
Hello!
Does anyone know if it's possible to restrict access to apache webserver with certificates?
What I want is that if a user has a certificate in his browser then he get's access, if not show error or another page.
I would be very happy if someone knew!
/D (2 Replies)
02-28-2012
