Login or Register to Ask a Question and Join Our Community


UNIX for Advanced & Expert Users

sudo: blocking specific commands

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users sudo: blocking specific commands
# 8  
Old 03-09-2012
Quote:
Originally Posted by Corona688
For that matter, they could always try the sledgehammer approach:

Code:
sudo cp /bin/sh /usr/bin/freakazoid ; sudo /usr/bin/freakazoid


..and if you can't let them have cp, what can they have?

You're still stuck trying to stop root from being root.
Are you sure this is working for you with a user which has /etc/sudoers entry similar to what you posted?

Because, it does not work for me (which is a good sign) with the similar setup:

Code:
[testuser@blue testuser]$ sudo cp /bin/sh /usr/bin/blahblah
[sudo] password for testuser:
Sorry, user testuser is not allowed to execute '/bin/cp /bin/sh /usr/bin/blahblah' as root on blue.
[testuser@blue testuser]$

Although my knowledge is limited to AIX, Solaris and Linux, I have seen vi to appear in /usr/bin as well in some systems. That's the reason I was concerned and felt obligated to inform the OP about this.
# 9  
Old 03-12-2012
One would be able to circumvent this by using setuid and a small c program to call shell script with only /usr/bin/ksh in it.

That would result in ksh shell with root.
Tools are gcc (not sudoed) and (sudo) chown/chmod
# 10  
Old 03-12-2012
Quote:
Originally Posted by Peasant
One would be able to circumvent this by using setuid and a small c program to call shell script with only /usr/bin/ksh in it.

That would result in ksh shell with root.
Tools are gcc (not sudoed) and (sudo) chown/chmod
Excellent catch!!

But, Corona has given a solid example here. As /bin is not listed as permitted and as permit ALL is not specified, the default behavior of sudo would be to deny access. As chmod/chown appears in /bin the user will not be able to execute them with sudo. Also, user cannot copy or link chmod or chown to /usr/bin (the only permitted directory) as again cp appears in /bin directory also /usr/bin has root as the owner, so no write permission for the user. The user is trapped well. Smilie
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Ubuntu

Sudo commands without puting in .bashrc

dear all, When I start my laptop, I need to run one command /etc/init.open-afs start and it require sudo privilege. The only solution which occur to me is to put this command in .bashrc. But then the trouble comes as everytime I open any new tab it ask for the sudo password, which is pretty... (5 Replies)
Discussion started by: emily
5 Replies

2. Shell Programming and Scripting

Ssh not supporting sudo and sqlplus commands

Hi Guys , I was facing an issue some thing like , I have to connect remote machine and should execute few commands over there , I am able to run some simple commands , but below commands are throws error like not found. eg : sudo su - username and sqlplus user/pwd@db , srvrmgr commands etc ... (8 Replies)
Discussion started by: chandini
8 Replies

3. Shell Programming and Scripting

How to run sudo commands under a script?

Hi, I am new to scripting. I am trying to write a script to ssh one remote machine and run a sudo command. ssh <hostname> sudo -S <command> < ~/pass.txt I am stored my password in pass.txt. I am getting error sudo: no tty present and no askpass program specified Please suggest me how can... (1 Reply)
Discussion started by: venkia9
1 Replies

4. UNIX for Advanced & Expert Users

Blocking particular website for specific thinclients on Ubuntu

We have server which is connected with more than 10 thin client machine. I have tried to block the websites ( facebook, orkut,twitter ) for all the users. it works fine for me. But , I want to block for particular user ( thinclient ) or by the way of IP address of machine. How can I do that. (3 Replies)
Discussion started by: pavun_cool
3 Replies

5. Programming

Using Commands over SSH using Sudo

Is there a way to transfer my sudo password via ssh so that I can copy files remotely and pass them locally, so: cat sudo-passwd-file|ssh -t user@10.7.0.180 'sudo find / -depth|cpio -oacv|gzip' > /path/to/dir/file.cpio.gz I am in the process of a creating a script. Everytime I try and just... (16 Replies)
Discussion started by: metallica1973
16 Replies

6. UNIX for Dummies Questions & Answers

sudo commands list

Hi, Can you please give me a list of commands executed through 'sudo' command, thank you. (1 Reply)
Discussion started by: Dev_Dev
1 Replies

7. UNIX for Advanced & Expert Users

allow user to use sudo cp on a specific directory and only a specific file

Is there a way to allow a user to use sudo cp on a specific directory and only a specific file? (6 Replies)
Discussion started by: cokedude
6 Replies

8. AIX

Add sudo executable commands

Guy's I have sudo already installed in AIX , just I want to know how can I add for example the following commands to be executed by sudo by (appuser).. shutdown /usr/startapp.sh /usr/stopapp.sh (5 Replies)
Discussion started by: ITHelper
5 Replies

9. Shell Programming and Scripting

blocking the commands result

swremove productname gives an output screen which has to be blocked... how can i do that?... can anyone please help??? (2 Replies)
Discussion started by: rag84dec
2 Replies

10. UNIX for Advanced & Expert Users

Logging all commands after a sudo su-

Hi there, It might seem tricky, I confess. We use sudo to allow people to initiate priviledged commands (but not all commands) on our Unix systems. To by pass this, some people initiate the sudo su - command ; The main issue is to 'know' what those people do when they gain root access.... (4 Replies)
Discussion started by: linuxmtl
4 Replies
Login or Register to Ask a Question