FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 11-30-2007, 05:05 AM
"ankush grover"
 
Default configuring sudo access for some users

Hi friends,

I want to configure sudo access for some users on my system. I am currently using FC7 on my system. What they require (I mean users) is to do all the things except they cannot su/su- to become anyother user or root user, they should not be able to change anybody's password or atleast root's password, cannot modify /etc/sudoers and* etc/pam.d/su files . I have a script which can extract all commands issued with "sudo" but if these users become root then I won't be able to know who has done what.



I have already restricted su/su - access by editing /etc/pam.d/su* and uncommenting the below line:

# Uncomment the following line to require a user to be in the "wheel" group.
auth*********** required******* pam_wheel.so use_uid



Authentication on my system is done through LDAP but also Use MD5, Use Shadow and Local Authorization is sufficient options are enabled so that local user for ex myself can login without authenticating to LDAP. Users for which i want to configure sudo access will all be authenticated through LDAP.


Currently I have added these 2 lines in /etc/sudoers (I used visudo command to edit this file)

test ALL=(ALL) ALL, !/usr/bin/su
test2 ALL=(ALL) ALL, !/usr/bin/su


Both test and test2 are able to become root when they use "sudo su - " but they are not able to become root user when they issue "su -". How do I restrict these users not to become root or any other user through sudo su - and also these users should not able to change their or other users passwords on this system.



Thanks & Regards

Ankush Grover









--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 06:22 AM
"Dave Burns"
 
Default configuring sudo access for some users

On Nov 29, 2007 8:05 PM, ankush grover <ankushfedora@gmail.com> wrote:
> What they require (I mean users) is to do all the
> things except they cannot su/su- to become anyother user or root user, they

> test ALL=(ALL) ALL, !/usr/bin/su
> test2 ALL=(ALL) ALL, !/usr/bin/su

test and test2 could then
sudo bash

And then they have an unlimited root shell.
The following gets you a little closer to what you want, but never
really gets you there:

test myhost=(root) !/usr/bin/su,!sudo,!/bin/bash,!/bin/tcsh,!vi,!less

on and on and on and on, listing every command line tool that has a
"shell escape feature". In other words, what you want may be possible
in theory but not in practice. But at least you have to limit them to
a particular user (maybe not root but some other special user with
special ownerships that you have set up).

I recommend defining what commands are okay for them to use, and then
doing some homework to make sure those are safe (no way to escape to a
shell, which is hard to guarantee). Or only give sudo power to people
you trust completely.
HTH,
Dave

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 11-30-2007, 09:34 PM
John Summerfield
 
Default configuring sudo access for some users

ankush grover wrote:

Hi friends,

I want to configure sudo access for some users on my system. I am currently
using FC7 on my system. What they require (I mean users) is to do all the
things except they cannot su/su- to become anyother user or root user, they


If you try to say they can do everything except ... London to a brick
you will forget something.


If you say that can do these things [ ... ] then probably you will
forget something too, but you will not have so much worry about them
doing something they ought not.


You can probably further constrain them using selinux; you don't want
them using anything that opens (for example) /etc/passwd or /etc/shadow
or /etc/inittab for output.


You don't want them running any shells (so no sudo -i) unless you have
them thoroughly constrained with selinux.


If they can sit at the console and boot manually, you have some problems
to solve.


For example.
Can someone boot unauthorised media?
-- I could run Knoppix

Can users get a grub commandline?
Can users edit the grub boot menu?
-- allows access to a shell prompt
kernel /vmlinuz-2.6.18-8.1.15.el5
ro root=/dev/VolGroup00/LogVol00 init=/bin/bash

otoh if you've lost a fight with the proverbial bus, then someone may
well need to do one of these.



should not be able to change anybody's password or atleast root's password,
cannot modify /etc/sudoers and etc/pam.d/su files . I have a script which
can extract all commands issued with "sudo" but if these users become root
then I won't be able to know who has done what.


AFAIK anyone who can modify the user base can add a "root" user.

Log to another machine, where they cannot interfere with the logs.




I have already restricted su/su - access by editing /etc/pam.d/su and
uncommenting the below line:

# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid


Authentication on my system is done through LDAP but also Use MD5, Use
Shadow and Local Authorization is sufficient options are enabled so that
local user for ex myself can login without authenticating to LDAP. Users for
which i want to configure sudo access will all be authenticated through
LDAP.

Currently I have added these 2 lines in /etc/sudoers (I used visudo command
to edit this file)

test ALL=(ALL) ALL, !/usr/bin/su
test2 ALL=(ALL) ALL, !/usr/bin/su


You forgot runuser which goes to illustrate my point.

What about the user who writes this program and runs it with su?

07:30 [summer@numbat ~]$ echo exec -l /bin/csh | tee bin/fakeshell
exec -l /bin/csh
07:31 [summer@numbat ~]$ chmod +x bin/fakeshell
07:31 [summer@numbat ~]$ bin/fakeshell
[summer@numbat ~]$ logout
07:31 [summer@numbat ~]$

Note the shell prompt changed.




Both test and test2 are able to become root when they use "sudo su - " but
they are not able to become root user when they issue "su -". How do I
restrict these users not to become root or any other user through sudo su -
and also these users should not able to change their or other users
passwords on this system.


Thanks & Regards

Ankush Grover





--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 04:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org