Find the answer to your Linux question:
Results 1 to 4 of 4
Hi, I needed to install sudo to give some users more rights on a debian server. Now, I configured the sudoers file according the needs, but... I want for example ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2010
    Posts
    3

    sudo / sudoers


    Hi,

    I needed to install sudo to give some users more rights on a debian server.
    Now, I configured the sudoers file according the needs, but...

    I want for example to prevent sudo users to reset the root passwd.
    I've configured this in sudoers so users get a deny when they try to do
    Code:
    sudo /usr/bin/passwd root
    So far so good, but when a user types sudo -s he gets a rootshell after entering his passwd and then he's able to change the root passwd (among with other things)

    How can I prevent this?


    kind regards & tnx

  2. #2
    Linux Guru reed9's Avatar
    Join Date
    Feb 2009
    Location
    Boston, MA
    Posts
    4,651
    Depends how you set up their sudo privileges.

    Sudo
    There is no easy way to prevent a user from gaining a root shell if that user is allowed to run arbitrary commands via sudo. Also, many programs (such as editors) allow the user to run commands via shell escapes, thus avoiding sudo's checks. However, on most systems it is possible to prevent shell escapes with sudo's noexec functionality. See the sudoers(5) manual for details.

    It is not meaningful to run the cd command directly via sudo, e.g.,

    $ sudo cd /usr/local/protected
    since when the command exits the parent process (your shell) will still be the same. Please see the EXAMPLES section for more information.

    If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' elements in the user specification.
    What's your sudoers file look like?

  3. #3
    Just Joined!
    Join Date
    Jul 2010
    Posts
    3
    Quote Originally Posted by reed9 View Post
    Depends how you set up their sudo privileges.



    What's your sudoers file look like?

    Hi,

    Tnx for coming back to me.
    I 've looked at the man page, but didn't really find the correct solution, so i'm a bit in trial & error mode.

    Here's my /etc/sudoers:

    Code:
    # /etc/sudoers
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the man page for details on how to write a sudoers file.
    #
    
    Defaults        env_reset
    
    # Host alias specification
    
    # User alias specification
    User_Alias 	ADMINS = joe, john
    # Cmnd alias specification
    Cmnd_Alias      BROWSE = /bin/ls, /bin/cd, /bin/cat, /bin/bash
    Cmnd_Alias      EDIT = /usr/bin/vi, !/usr/bin/passwd, !/usr/sbin/visudo, !/usr/bin/sudo -s
    Cmnd_Alias      KILL = /bin/kill, /etc/init.d/apache2
    
    # User privilege specification
    root    ALL=(ALL) ALL
    
    # Uncomment to allow members of group sudo to not need a password
    # (Note that later entries override this, so you might need to move
    # it further down)
    # %sudo ALL=NOPASSWD: ALL
    
    ADMINS   ALL=BROWSE,EDIT,KILL
    Tnx for your suggestions.
    Kind regards

  4. #4
    Just Joined!
    Join Date
    Jul 2010
    Posts
    3
    Ok found it, problem solved.
    Removed /bin/bash from the Cmnd_Alias

    Stupid me
    Tnx for your input.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •