How to provide root access via sudo with restrictions?


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users How to provide root access via sudo with restrictions?
# 1  
Old 03-10-2018
How to provide root access via sudo with restrictions?

Hi,
I have a requirement to provide root access but user should not run some specific commands, How it is possible.

following is my configuration at sudoers file,


Code:
Cmnd_Alias MYLIMIT = /usr/bin/passwd /sbin/shutdown /usr/bin/reboot /usr/sbin/visudo /bin/vi /usr/bin/vim
test2 ALL=(ALL)NOPASSWD:  ALL, !MYLIMIT
%wheel ALL = NOPASSWD:ALL, !MYLIMIT

its not working, following is next attempt

Code:
test2 ALL=(ALL)NOPASSWD: !/usr/bin/passwd, !/usr/sbin/visudo  ALL
#OR#
test2 ALL=(ALL)NOPASSWD: ALL, !/usr/bin/passwd, !/usr/sbin/visudo

nothing worked, after all attempts following is result

Code:
[test2@rhel6-server ~]$ sudo su
Last login: Sat Mar 10 17:15:07 IST 2018 on pts/12
[root@rhel6-server test2]# passwd root
Changing password for user root.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.

Please help


Moderator's Comments:
Mod Comment Please use CODE (not ICODE) tags as required by forum rules!

Last edited by RudiC; 03-10-2018 at 08:47 AM.. Reason: Changed CODE tags.
# 2  
Old 03-10-2018
Methinks you have a syntax error in the Cmnd_Alias as the Cmnd_List should be comma delimited, but the actual reason for your "error" is that you're running the passwd command as root.
man su:
Quote:
Invoked without a username, su defaults to becoming the superuser.

Last edited by RudiC; 03-10-2018 at 10:19 AM..
This User Gave Thanks to RudiC For This Post:
# 3  
Old 03-11-2018
Dear RudiC,
very thanks for your prompt response, the reason for my "error" is my biggest problem. its our requirement to give root access but with restriction and users are really giving a headache to me, they just login and do
Code:
sudo su

and change in
Code:
sudoers

or in
Code:
passwd

file to give them rights.
its really difficult to analyse the logs on daily basis, we only came to know when something nasty happened.
please suggest if there is any other alternate solution to this.

Last edited by anuragr; 03-11-2018 at 07:29 AM..
# 4  
Old 03-11-2018
That sounds like an offence of company / organisation policies - should those exist. Time to establish at least some sort of rules, no?

Why don't you in sudoers prohibit su for anyone but root so sudo su will fail and be reported?

And, BTW, analysing reports for offences can be made an automated task...

EDIT: Re-reading your post, I see that some root access is necessary. This is exactly what sudo is for, not su. man sudo:
Quote:
sudo allows a permitted user to execute a command as the superuser
So, you should list the allowed users for execution of a certain limited set of commands, which, btw, should be the method preferred over what you presented above. man sudoers:
Quote:
Note, however, that using a ‘!’ in conjunction with the built-in ALL alias to allow a user to run “all but a few” commands rarely works as intended
All man info from an Ubuntu linux 17.10 system...

Last edited by RudiC; 03-11-2018 at 08:33 AM..
This User Gave Thanks to RudiC For This Post:
# 5  
Old 03-11-2018
Yes Dear, this is violation and 2 are fired as well, but still extra enthusiastic/passionate/committed users are with us. mail is also blocked in servers so no offense reported via email.
just tied hand & legs and ordered to provide this
Code:
test2 ALL=(ALL)NOPASSWD:  ALL

but users should not do this and that.

now i have only option left to get the list of commands from teams and allow only those via
Code:
sudoers

Please correct me if i am wrong or there is any other solution
# 6  
Old 03-11-2018
We may have a cross-posting here, but this is exactly what I proposed in my (edited) post#4.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

Sudo access of rm to non-root user

Hello, It is Solaris-10. There is a file as /opt/vpp/dom1.2/pdd/today_23. It is always generated by root, so owned by root only. This file has to be deleted as part of application restart always and that is done by app_user and SA is always involved to do rm on that file. Is it possible to give... (9 Replies)
Discussion started by: solaris_1977
9 Replies

2. UNIX for Beginners Questions & Answers

How to provide read access to root crontab?

Hi, Is there any safe method to provide read access to root's crontab to another user? Just read no other permissions. (1 Reply)
Discussion started by: ctrld
1 Replies

3. Red Hat

Sudo to user other than root but do not allow sudo to root

I have a set of RHEL 5 boxes running our ERP software on Oracle databases. I need to allow my DBA's to su to oracle and one other account (banner) without knowing the oracle or banner password. But I need to prevent them from su'ing to any other user especially root. I only want them to be able to... (1 Reply)
Discussion started by: westmoreland
1 Replies

4. SuSE

Auditors want more security with root to root access via ssh keys

I access over 100 SUSE SLES servers as root from my admin server, via ssh sessions using ssh keys, so I don't have to enter a password. My SUSE Admin server is setup in the following manner: 1) Remote root access is turned off in the sshd_config file. 2) I am the only user of this admin... (6 Replies)
Discussion started by: dvbell
6 Replies

5. UNIX for Dummies Questions & Answers

sudo/root access

I'm actually working with a Ubuntu-System here and have a question about executing a command with 'sudo'. I tried and got a error message like "not allowed". After this I logged in with 'sudo -s' and typed the command without 'sudo'. This worked well. Can please somebody explain me this... (0 Replies)
Discussion started by: daWonderer
0 Replies

6. Linux

nix User Access Restrictions to Network, USB ports, PCMCIA, CDROM

How to create a user account on a Linux desktop machine with restrictions on connecting to the LAN, WAN, PCMCIA ports, Firewire, CDROM and generally any user controllable output options? I have the task to set up a machine for users working with sensitive data that should not be leaving the... (1 Reply)
Discussion started by: netfreighter
1 Replies

7. UNIX for Dummies Questions & Answers

How to allow access to some commands having root privleges to be run bu non root user

hi i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies

8. Shell Programming and Scripting

To provide restricted access to certain user's on linux box

Hi, I need to provide execute access to certain users and not to all users For ex: if ther is a file /home/august/aug.sh. and there are user's like jan,feb,mar,april,May and jan is the owner of that box. I need to provide execute access to feb and mar only. I also know the root pwd for... (3 Replies)
Discussion started by: Ashok_oct22
3 Replies

9. Linux

how to access root priveliges if root password is lost

wish to know how to access root password it root password is forgotten in linux (1 Reply)
Discussion started by: wojtyla
1 Replies
Login or Register to Ask a Question