RE: sudoers
- From: "Mertens, Bram" <mertensb@xxxxxxxxxxxx>
- Date: Thu, 25 Oct 2007 12:38:45 +0200
I don't believe any restrictions you'll make to this setup will have much effect.
No matter what commands you'll disallow for these users to execute in /usr/local/bin there's tons of ways they can circumvent it:
Sudo visudo + remove the restrictions
Sudo bash + and do whatever they want as root WITHOUT any logging
Create a symbolic link to /usr/local/bin will probably also circumvent any restrictions
..
It is probably safer to allow only those commands they really need rather than trying to open everything and then close some things again.
If you want to add restrictions look into the su and passwd commands in the suoders man page:
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user pete is allowed to change anyoneâs password except for root on
the HPPA machines. Note that this assumes passwd(1) does not take mul-
tiple usernames on the command line.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the ALPHA machines, user john may su to anyone except root but he is
not allowed to give su(1) any flags.
Regards
Bram
--
Bram Mertens
Web application Administrator / Red Hat Certified Technician
Mazda Motor Logistics Europe N.V.
Tel.: +32 3 860 12 61
Mazda Motor Logistics Europe NV, Blaasveldstraat 162, B-2830 Willebroek
VAT BE 406.024.281, RPR Mechelen, ING 310-0092504-52, IBAN : BE64 3100 0925 0452, SWIFT : BBRUBEBB
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Johan Booysen
Sent: donderdag 25 oktober 2007 10:34
To: General Red Hat Linux discussion list
Subject: sudoers
On one of our development servers, we have a number of developers
specified in /etc/sudoers:
abc ALL=(ALL) ALL
def ALL=(ALL) ALL
ghi ALL=(ALL) ALL
jkl ALL=(ALL) ALL
Now I need to restrict access to /usr/local/bin, so that only the root
user can make changes to that directory. Even the people in
/etc/sudoers should not be able to make changes to /usr/local/bin.
How can I adapt /etc/sudoers to achieve this? I've already
read the man
page and will investigate, but any quick pointers will be appreciated.
Thanks.
Johan
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=subscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- References:
- sudoers
- From: Johan Booysen
- sudoers
- Prev by Date: sudoers
- Next by Date: RE: Xen and the art of Database performance
- Previous by thread: sudoers
- Index(es):
Relevant Pages
- RE: Linux auditing checklist, documents
... Edit the hosts.deny file and add the following lines: ... Disallow root login
from different consoles ... number of commands and delete it on logout of the user. ...
By default, when you login to a Linux box, it tells you the Linux ... (Security-Basics) - RE: Linux auditing checklist, documents
... Edit the hosts.deny file and add the following lines: ... Disallow root login
from different consoles ... number of commands and delete it on logout of the user. ...
By default, when you login to a Linux box, it tells you the Linux ... (Security-Basics) - Re: Help with sudoers and wheel - "Old Guy" or anyone?
... (I am root on my home systems, and have "root" user accounts at work, ... Notice
- no permissions for normal users to run. ... members of the 'wheel' group could
run those commands. ... >Use halt, reboot, shutdown, mount, and tcpdump commands. ...
(comp.os.linux) - Re: Root access loggin
... Subject: Root access loggin ... commands with sudo assume that the user
actually knows what commands ... Sudo wouldn't be any help here cause I would need to pre
approve ... the wheel group and using visudo to grant wheel access to everything ...
(freebsd-questions) - Re: sudo doesnt work, Im not in sudoers file, but I am.
... user gene is not allowed to execute '/bin/ls -l' as root on ... ~ %wheel
ALL=ALL ... (Fedora)
