The Customize Windows Technology Blog http://thecustomizewindows.com Restrict sudo Users Running Specific Commands Author : Abhishek Restrict sudo Users Running Specific Commands for Apple's OS X, BSD and GNU Linux in various ways. This is a good way to increase security. It is not that, always we want to Restrict sudo Users Running Specific Commands for Not Relying, but mostly it is to prevent unknowing done errors which basically can destroy a system. If one changes the group ownership to Apache (www-data) with sudo command while at root, it will be impossible in most cases to revive the system. Restrict sudo Users Running Specific Commands : Understanding the Difference of Philosophy in GNU Linux and UNIX In UNIX, there is WHEEL GROUP. We talked about this UNIX Wheel Group in details in previously published article. Why we mentioned, re-enabling Wheel Group increases the control on users was explained. GNU Linux, by Philosophy do not like that way. As we said there, by running `visudo` command, you can restrict by specific commands you want to restrict : # restrict NetworkManager ; add these lines user ALL=!/etc/init.d/Ne tworkManager restart user ALL=!/etc/init.d/network restart But if someone runs : sudo bash This is the basic reason we mentioned about Wheel Group, see Arch Linux Wiki : https://wiki.archlinux.org/index.php/sudo Practically, the methods people mentions are for casual users; a serious user with definite target can manipulate the file permissions. There is another known method : 1 / 3 The Customize Windows Technology Blog http://thecustomizewindows.com If we edit the `/etc/sudoers.d` file instead of modifying `/etc/sudoers`; If your user is called user and your host is called host you could add these lines to `/etc/sudoers.d` : user host = (root) NOPASSWD: /sbin/shutdown user host = (root) NOPASS WD: /sbin/reboot If password is protected to allow, obviously except the root none will able to run any commands except which commands are whitelisted. Restrict sudo Users Running Specific Commands But Do Not Get Locked In case, you are locked, you need to know about `pkexec` command : http://manpages.ubuntu.com/manpages/precise/en/man1/pkexec.1.html #Ex ample pkexec visudo -f /etc/sudoers.d/shutdown pkexec chown root:ro ot /etc/sudoers.d/shutdown pkexec chmod 0440 /etc/sudoers.d/shutdown 2 / 3 The Customize Windows Technology Blog http://thecustomizewindows.com # the permission will become ls -l /etc/sudoers.d/shutdown # outp ut -r--r----- 1 root root 86 Jul 16 15:37 /etc/sudoers.d/shutdown You can check for `Cmnd_Alias` function : https://help.ubuntu.com/community/Sudoers But, sudo assumes we trust our users, that is GNU Philosophy : visudo # Edit to Defaults logfile=/var/log/sudo.log Defaults timest amp_timeout=0 # Add Alias Cmnd_Alias NVSU = /usr/sbin/visudo Cmnd_A lias NSU = /bin/su Cmnd_Alias NSHELLS = /bin/sh,/bin/bash Cmnd_Alias NYUM = /usr/bin/yum Cmnd_Alias NPASSWD = /usr/bin/passwd # enforce rules %group_name ALL=(ALL) ALL, !NVSU, !NSU, !NSHELLS,!NPASSWD Whenever you user can access to usernamed folder and you have some softwares like Java, Ruby, Python, PHP, Perl - any of them installed, it is basically possible to do many things. Wheel Group system actually makes the administration easier. 3 / 3 Powered by TCPDF (www.tcpdf.org).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages3 Page
-
File Size-