👤
Home Man
Search
Today's Posts
Register

Expert-to-Expert. Learn advanced UNIX, UNIX commands, Linux, Operating Systems, System Administration, Programming, Shell, Shell Scripts, Solaris, Linux, HP-UX, AIX, OS X, BSD.

How to provide root access via sudo with restrictions?

Tags
linux and unix, sudo root access restriction

👤 Login to reply

 
Thread Tools Search this Thread
# 1  
Old 03-10-2018
How to provide root access via sudo with restrictions?

Hi,
I have a requirement to provide root access but user should not run some specific commands, How it is possible.

following is my configuration at sudoers file,


Code:
Cmnd_Alias MYLIMIT = /usr/bin/passwd /sbin/shutdown /usr/bin/reboot /usr/sbin/visudo /bin/vi /usr/bin/vim
test2 ALL=(ALL)NOPASSWD:  ALL, !MYLIMIT
%wheel ALL = NOPASSWD:ALL, !MYLIMIT

its not working, following is next attempt

Code:
test2 ALL=(ALL)NOPASSWD: !/usr/bin/passwd, !/usr/sbin/visudo  ALL
#OR#
test2 ALL=(ALL)NOPASSWD: ALL, !/usr/bin/passwd, !/usr/sbin/visudo

nothing worked, after all attempts following is result

Code:
[test2@rhel6-server ~]$ sudo su
Last login: Sat Mar 10 17:15:07 IST 2018 on pts/12
[root@rhel6-server test2]# passwd root
Changing password for user root.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

Please help


Moderator's Comments:
How to provide root access via sudo with restrictions? Please use CODE (not ICODE) tags as required by forum rules!

Last edited by RudiC; 03-10-2018 at 07:47 AM.. Reason: Changed CODE tags.
# 2  
Old 03-10-2018
Methinks you have a syntax error in the Cmnd_Alias as the Cmnd_List should be comma delimited, but the actual reason for your "error" is that you're running the passwd command as root.
man su:
Quote:
Invoked without a username, su defaults to becoming the superuser.

Last edited by RudiC; 03-10-2018 at 09:19 AM..
The Following User Says Thank You to RudiC For This Useful Post:
jim mcnamara (03-10-2018)
# 3  
Old 03-11-2018
Dear RudiC,
very thanks for your prompt response, the reason for my "error" is my biggest problem. its our requirement to give root access but with restriction and users are really giving a headache to me, they just login and do
Code:
sudo su

and change in
Code:
sudoers

or in
Code:
passwd

file to give them rights.
its really difficult to analyse the logs on daily basis, we only came to know when something nasty happened.
please suggest if there is any other alternate solution to this.

Last edited by anuragr; 03-11-2018 at 06:29 AM..
# 4  
Old 03-11-2018
That sounds like an offence of company / organisation policies - should those exist. Time to establish at least some sort of rules, no?

Why don't you in sudoers prohibit su for anyone but root so sudo su will fail and be reported?

And, BTW, analysing reports for offences can be made an automated task...

EDIT: Re-reading your post, I see that some root access is necessary. This is exactly what sudo is for, not su. man sudo:
Quote:
sudo allows a permitted user to execute a command as the superuser
So, you should list the allowed users for execution of a certain limited set of commands, which, btw, should be the method preferred over what you presented above. man sudoers:
Quote:
Note, however, that using a ‘!’ in conjunction with the built-in ALL alias to allow a user to run “all but a few” commands rarely works as intended
All man info from an Ubuntu linux 17.10 system...

Last edited by RudiC; 03-11-2018 at 07:33 AM..
The Following User Says Thank You to RudiC For This Useful Post:
anuragr (03-11-2018)
# 5  
Old 03-11-2018
Yes Dear, this is violation and 2 are fired as well, but still extra enthusiastic/passionate/committed users are with us. mail is also blocked in servers so no offense reported via email.
just tied hand & legs and ordered to provide this
Code:
test2 ALL=(ALL)NOPASSWD:  ALL

but users should not do this and that.

now i have only option left to get the list of commands from teams and allow only those via
Code:
sudoers

Please correct me if i am wrong or there is any other solution
# 6  
Old 03-11-2018
We may have a cross-posting here, but this is exactly what I proposed in my (edited) post#4.
👤 Login to reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Sudo access of rm to non-root user solaris_1977 Solaris 9 08-24-2017 02:40 PM
How to provide read access to root crontab? ctrld UNIX for Beginners Questions & Answers 1 03-02-2017 09:45 AM
Sudo to user other than root but do not allow sudo to root westmoreland Red Hat 1 02-03-2015 12:40 PM
Auditors want more security with root to root access via ssh keys dvbell SuSE 6 07-12-2013 09:33 AM
sudo/root access daWonderer UNIX for Dummies Questions & Answers 0 02-10-2012 05:47 AM
nix User Access Restrictions to Network, USB ports, PCMCIA, CDROM netfreighter Linux 1 05-05-2011 01:12 PM
How to allow access to some commands having root privleges to be run bu non root user suryashikha UNIX for Dummies Questions & Answers 5 10-30-2009 05:46 AM
To provide restricted access to certain user's on linux box Ashok_oct22 Shell Programming and Scripting 3 08-27-2008 05:01 AM
how to access root priveliges if root password is lost wojtyla Linux 1 02-18-2005 05:24 AM


All times are GMT -4. The time now is 04:34 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password





Not a Forum Member?
Forgot Password?