Find the answer to your Linux question:
Results 1 to 4 of 4
Hi, I needed to install sudo to give some users more rights on a debian server. Now, I configured the sudoers file according the needs, but... I want for example ...
  1. 07-07-2010 #1
    beone
    beone is offline
    Just Joined!
    Join Date
    Jul 2010
    Posts
    3

    sudo / sudoers

    Hi,

    I needed to install sudo to give some users more rights on a debian server.
    Now, I configured the sudoers file according the needs, but...

    I want for example to prevent sudo users to reset the root passwd.
    I've configured this in sudoers so users get a deny when they try to do
    Code:
    sudo /usr/bin/passwd root
    So far so good, but when a user types sudo -s he gets a rootshell after entering his passwd and then he's able to change the root passwd (among with other things)

    How can I prevent this?


    kind regards & tnx
    Reply With Quote Reply With Quote
  2. 07-08-2010 #2
    reed9
    reed9 is offline
    Linux Guru reed9's Avatar
    Join Date
    Feb 2009
    Location
    Boston, MA
    Posts
    4,651
    Depends how you set up their sudo privileges.

    Sudo
    There is no easy way to prevent a user from gaining a root shell if that user is allowed to run arbitrary commands via sudo. Also, many programs (such as editors) allow the user to run commands via shell escapes, thus avoiding sudo's checks. However, on most systems it is possible to prevent shell escapes with sudo's noexec functionality. See the sudoers(5) manual for details.

    It is not meaningful to run the cd command directly via sudo, e.g.,

    $ sudo cd /usr/local/protected
    since when the command exits the parent process (your shell) will still be the same. Please see the EXAMPLES section for more information.

    If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' elements in the user specification.
    What's your sudoers file look like?
    The Arch Way

    How to Ask Questions the Smart Way
    Registered Linux User #482863
    Reply With Quote Reply With Quote
  3. 07-08-2010 #3
    beone
    beone is offline
    Just Joined!
    Join Date
    Jul 2010
    Posts
    3
    Quote Originally Posted by reed9 View Post
    Depends how you set up their sudo privileges.



    What's your sudoers file look like?

    Hi,

    Tnx for coming back to me.
    I 've looked at the man page, but didn't really find the correct solution, so i'm a bit in trial & error mode.

    Here's my /etc/sudoers:

    Code:
    # /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification
User_Alias 	ADMINS = joe, john
# Cmnd alias specification
Cmnd_Alias      BROWSE = /bin/ls, /bin/cd, /bin/cat, /bin/bash
Cmnd_Alias      EDIT = /usr/bin/vi, !/usr/bin/passwd, !/usr/sbin/visudo, !/usr/bin/sudo -s
Cmnd_Alias      KILL = /bin/kill, /etc/init.d/apache2

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL

ADMINS   ALL=BROWSE,EDIT,KILL
    Tnx for your suggestions.
    Kind regards
    Reply With Quote Reply With Quote
  4. 07-09-2010 #4
    beone
    beone is offline
    Just Joined!
    Join Date
    Jul 2010
    Posts
    3
    Ok found it, problem solved.
    Removed /bin/bash from the Cmnd_Alias

    Stupid me
    Tnx for your input.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules