Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 15 of 15
Originally Posted by kakariko81280 I don't want to be pessimistic, but I don't think there is a way to achieve exactly what you are after. Agreed. Originally Posted by bigtomrodney ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692

    Quote Originally Posted by kakariko81280 View Post
    I don't want to be pessimistic, but I don't think there is a way to achieve exactly what you are after.
    Agreed.

    Quote Originally Posted by bigtomrodney
    Surely you can be more discriminating in the /etc/sudoers file? Grant users only the root permission for what they need?
    Agreed.

    What you're trying to do here is tricky as hell. You have lots of full-on sudoers on the box? So you're trying to hide from lots of folks with root access. That will not work without lots of help from your friendly selinux administrator.

    Given the hairy scenario that you describe, I'd say you are actually going to want to run the script from a different box. Something is wrong with the whole picture.

  2. #12
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    At the risk of sounding cruel this is poorly implemented security. Actually this is non existant security. With root permission a user can become any other user. Encryption is not the answer and as I mentioned already there is a definite need to reel in the permissions to an absolute necessity. You may find a workaround to allow you to proceed in the direction you are going but remember it will only be that - a workaround. I would strongly rethink the security policy going forward.

  3. #13
    Linux Enthusiast
    Join Date
    Jul 2005
    Location
    Maryland
    Posts
    522
    How about storing that file on another server where users don't have sudo permissions? And then let them (or script, or whatever) access the file remotely but only with certain permissions (controlled by the server where the file is).

  4. $spacer_open
    $spacer_close
  5. #14
    Just Joined! LoneWolf93's Avatar
    Join Date
    Jul 2007
    Location
    Malta
    Posts
    11
    Quote Originally Posted by thusi02 View Post
    Hi devils_casper,

    Thank you for your reply. However, solution does not work as well. I have looked into this however, since there is a way to decrypt the file this will not work. Basically I want a one way ticket. I want to be able to encrypt the file and have it execute. However, I do not want there to be anyway of decrypting the file. So I want a member of the team to put their password into the file and encrypt the file and be safe that no one else is going to come along that has sudo access on the system to be able to decrypt the file. This is where the dilemma is.

    Any thoughts?

    Cheers,
    Nathan.
    The only plausible solution that crosses my mind at the moment is writing a script/program and hard code the encryption yourself in it (obviously in a way in which it is not retrievable from the output) and compile it. That way you've just "locked the door which has no key", even though there might be some techniques to analyze it and break to the source-code it's the safest way I can come up with meeting your problem specification. Hope it helps!

    LW

  6. #15
    Just Joined!
    Join Date
    Jul 2006
    Posts
    6
    Hi bigtomrodney,

    Thank you for that suggestion on the restrictive sudoers file. I am taking that approach and have restricted the users from shells, and su. I would ideally like each user to have a script of their own in the home directories and chmod the directory to 700 for them. However with ubuntu does anyone know how to restrict sudo from accessing home directories of other users? Also from preventing sudo from chowning and chmoding the home directories only?

    Thank you
    Regards,

    Nathan.

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •