configuring sudo access for some users
debian at herakles.homelinux.org
Fri Nov 30 22:34:07 UTC 2007
ankush grover wrote:
> Hi friends,
> I want to configure sudo access for some users on my system. I am currently
> using FC7 on my system. What they require (I mean users) is to do all the
> things except they cannot su/su- to become anyother user or root user, they
If you try to say they can do everything except ... London to a brick
you will forget something.
If you say that can do these things [ ... ] then probably you will
forget something too, but you will not have so much worry about them
doing something they ought not.
You can probably further constrain them using selinux; you don't want
them using anything that opens (for example) /etc/passwd or /etc/shadow
or /etc/inittab for output.
You don't want them running any shells (so no sudo -i) unless you have
them thoroughly constrained with selinux.
If they can sit at the console and boot manually, you have some problems
Can someone boot unauthorised media?
-- I could run Knoppix
Can users get a grub commandline?
Can users edit the grub boot menu?
-- allows access to a shell prompt
kernel /vmlinuz-2.6.18-8.1.15.el5 \
ro root=/dev/VolGroup00/LogVol00 init=/bin/bash
otoh if you've lost a fight with the proverbial bus, then someone may
well need to do one of these.
> should not be able to change anybody's password or atleast root's password,
> cannot modify /etc/sudoers and etc/pam.d/su files . I have a script which
> can extract all commands issued with "sudo" but if these users become root
> then I won't be able to know who has done what.
AFAIK anyone who can modify the user base can add a "root" user.
Log to another machine, where they cannot interfere with the logs.
> I have already restricted su/su - access by editing /etc/pam.d/su and
> uncommenting the below line:
> # Uncomment the following line to require a user to be in the "wheel" group.
> auth required pam_wheel.so use_uid
> Authentication on my system is done through LDAP but also Use MD5, Use
> Shadow and Local Authorization is sufficient options are enabled so that
> local user for ex myself can login without authenticating to LDAP. Users for
> which i want to configure sudo access will all be authenticated through
> Currently I have added these 2 lines in /etc/sudoers (I used visudo command
> to edit this file)
> test ALL=(ALL) ALL, !/usr/bin/su
> test2 ALL=(ALL) ALL, !/usr/bin/su
You forgot runuser which goes to illustrate my point.
What about the user who writes this program and runs it with su?
07:30 [summer at numbat ~]$ echo exec -l /bin/csh | tee bin/fakeshell
exec -l /bin/csh
07:31 [summer at numbat ~]$ chmod +x bin/fakeshell
07:31 [summer at numbat ~]$ bin/fakeshell
[summer at numbat ~]$ logout
07:31 [summer at numbat ~]$
Note the shell prompt changed.
> Both test and test2 are able to become root when they use "sudo su - " but
> they are not able to become root user when they issue "su -". How do I
> restrict these users not to become root or any other user through sudo su -
> and also these users should not able to change their or other users
> passwords on this system.
> Thanks & Regards
> Ankush Grover
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
You cannot reply off-list:-)
More information about the fedora-list