×
UNIX.COM Login
Username:
Password:  
Show Password






👤


UNIX for Advanced & Expert Users

Expert-to-Expert. Learn advanced UNIX, UNIX commands, Linux, Operating Systems, System Administration, Programming, Shell, Shell Scripts, Solaris, Linux, HP-UX, AIX, OS X, BSD.

How to provide root access via sudo with restrictions?

Tags
linux and unix, sudo root access restriction

👤 Login to reply

 
Thread Tools Search this Thread Display Modes
    #1  
Old 03-10-2018
anuragr anuragr is offline
Registered User
 
Join Date: Mar 2016
Last Activity: 7 April 2018, 7:04 AM EDT
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
How to provide root access via sudo with restrictions?

Hi,
I have a requirement to provide root access but user should not run some specific commands, How it is possible.

following is my configuration at sudoers file,




Code:
Cmnd_Alias MYLIMIT = /usr/bin/passwd /sbin/shutdown /usr/bin/reboot /usr/sbin/visudo /bin/vi /usr/bin/vim
test2 ALL=(ALL)NOPASSWD:  ALL, !MYLIMIT
%wheel ALL = NOPASSWD:ALL, !MYLIMIT

its not working, following is next attempt



Code:
test2 ALL=(ALL)NOPASSWD: !/usr/bin/passwd, !/usr/sbin/visudo  ALL
#OR#
test2 ALL=(ALL)NOPASSWD: ALL, !/usr/bin/passwd, !/usr/sbin/visudo

nothing worked, after all attempts following is result



Code:
[test2@rhel6-server ~]$ sudo su
Last login: Sat Mar 10 17:15:07 IST 2018 on pts/12
[root@rhel6-server test2]# passwd root
Changing password for user root.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

Please help


Moderator's Comments:
How to provide root access via sudo with restrictions? Please use CODE (not ICODE) tags as required by forum rules!

Last edited by RudiC; 03-10-2018 at 07:47 AM.. Reason: Changed CODE tags.
Sponsored Links
    #2  
Old 03-10-2018
RudiC RudiC is offline Forum Staff  
Moderator
 
Join Date: Jul 2012
Last Activity: 16 July 2018, 3:46 PM EDT
Location: Aachen, Germany
Posts: 13,062
Thanks: 447
Thanked 4,011 Times in 3,688 Posts
Methinks you have a syntax error in the Cmnd_Alias as the Cmnd_List should be comma delimited, but the actual reason for your "error" is that you're running the passwd command as root.
man su:
Quote:
Invoked without a username, su defaults to becoming the superuser.

Last edited by RudiC; 03-10-2018 at 09:19 AM..
The Following User Says Thank You to RudiC For This Useful Post:
jim mcnamara (03-10-2018)
Sponsored Links
    #3  
Old 03-11-2018
anuragr anuragr is offline
Registered User
 
Join Date: Mar 2016
Last Activity: 7 April 2018, 7:04 AM EDT
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
Dear RudiC,
very thanks for your prompt response, the reason for my "error" is my biggest problem. its our requirement to give root access but with restriction and users are really giving a headache to me, they just login and do

Code:
sudo su

and change in

Code:
sudoers

or in

Code:
passwd

file to give them rights.
its really difficult to analyse the logs on daily basis, we only came to know when something nasty happened.
please suggest if there is any other alternate solution to this.

Last edited by anuragr; 03-11-2018 at 06:29 AM..
    #4  
Old 03-11-2018
RudiC RudiC is offline Forum Staff  
Moderator
 
Join Date: Jul 2012
Last Activity: 16 July 2018, 3:46 PM EDT
Location: Aachen, Germany
Posts: 13,062
Thanks: 447
Thanked 4,011 Times in 3,688 Posts
That sounds like an offence of company / organisation policies - should those exist. Time to establish at least some sort of rules, no?

Why don't you in sudoers prohibit su for anyone but root so sudo su will fail and be reported?

And, BTW, analysing reports for offences can be made an automated task...

EDIT: Re-reading your post, I see that some root access is necessary. This is exactly what sudo is for, not su. man sudo:
Quote:
sudo allows a permitted user to execute a command as the superuser
So, you should list the allowed users for execution of a certain limited set of commands, which, btw, should be the method preferred over what you presented above. man sudoers:
Quote:
Note, however, that using a ‘!’ in conjunction with the built-in ALL alias to allow a user to run “all but a few” commands rarely works as intended
All man info from an Ubuntu linux 17.10 system...

Last edited by RudiC; 03-11-2018 at 07:33 AM..
The Following User Says Thank You to RudiC For This Useful Post:
anuragr (03-11-2018)
Sponsored Links
    #5  
Old 03-11-2018
anuragr anuragr is offline
Registered User
 
Join Date: Mar 2016
Last Activity: 7 April 2018, 7:04 AM EDT
Posts: 10
Thanks: 3
Thanked 0 Times in 0 Posts
Yes Dear, this is violation and 2 are fired as well, but still extra enthusiastic/passionate/committed users are with us. mail is also blocked in servers so no offense reported via email.
just tied hand & legs and ordered to provide this


Code:
test2 ALL=(ALL)NOPASSWD:  ALL

but users should not do this and that.

now i have only option left to get the list of commands from teams and allow only those via

Code:
sudoers

Please correct me if i am wrong or there is any other solution
Sponsored Links
    #6  
Old 03-11-2018
RudiC RudiC is offline Forum Staff  
Moderator
 
Join Date: Jul 2012
Last Activity: 16 July 2018, 3:46 PM EDT
Location: Aachen, Germany
Posts: 13,062
Thanks: 447
Thanked 4,011 Times in 3,688 Posts
We may have a cross-posting here, but this is exactly what I proposed in my (edited) post#4.
Sponsored Links
👤 Login to reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Sudo access of rm to non-root user solaris_1977 Solaris 9 08-24-2017 02:40 PM
How to provide read access to root crontab? ctrld UNIX for Beginners Questions & Answers 1 03-02-2017 09:45 AM
Sudo to user other than root but do not allow sudo to root westmoreland Red Hat 1 02-03-2015 12:40 PM
sudo/root access daWonderer UNIX for Dummies Questions & Answers 0 02-10-2012 05:47 AM
nix User Access Restrictions to Network, USB ports, PCMCIA, CDROM netfreighter Linux 1 05-05-2011 01:12 PM



All times are GMT -4. The time now is 09:57 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.