[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: configuring sudo access for some users



ankush grover wrote:
Hi friends,

I want to configure sudo access for some users on my system. I am currently
using FC7 on my system. What they require (I mean users) is to do all the
things except they cannot su/su- to become anyother user or root user, they

If you try to say they can do everything except ... London to a brick you will forget something.

If you say that can do these things [ ... ] then probably you will forget something too, but you will not have so much worry about them doing something they ought not.

You can probably further constrain them using selinux; you don't want them using anything that opens (for example) /etc/passwd or /etc/shadow or /etc/inittab for output.

You don't want them running any shells (so no sudo -i) unless you have them thoroughly constrained with selinux.

If they can sit at the console and boot manually, you have some problems to solve.

For example.
Can someone boot unauthorised media?
-- I could run Knoppix

Can users get a grub commandline?
Can users edit the grub boot menu?
-- allows access to a shell prompt
kernel /vmlinuz-2.6.18-8.1.15.el5 \
  ro root=/dev/VolGroup00/LogVol00 init=/bin/bash

otoh if you've lost a fight with the proverbial bus, then someone may well need to do one of these.

should not be able to change anybody's password or atleast root's password,
cannot modify /etc/sudoers and  etc/pam.d/su files . I have a script which
can extract all commands issued with "sudo" but if these users become root
then I won't be able to know who has done what.

AFAIK anyone who can modify the user base can add a "root" user.

Log to another machine, where they cannot interfere with the logs.



I have already restricted su/su - access by editing /etc/pam.d/su  and
uncommenting the below line:

# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid


Authentication on my system is done through LDAP but also Use MD5, Use
Shadow and Local Authorization is sufficient options are enabled so that
local user for ex myself can login without authenticating to LDAP. Users for
which i want to configure sudo access will all be authenticated through
LDAP.

Currently I have added these 2 lines in /etc/sudoers (I used visudo command
to edit this file)

test ALL=(ALL) ALL, !/usr/bin/su
test2 ALL=(ALL) ALL, !/usr/bin/su

You forgot runuser which goes to illustrate my point.

What about the user who writes this program and runs it with su?

07:30 [summer numbat ~]$ echo exec -l /bin/csh | tee bin/fakeshell
exec -l /bin/csh
07:31 [summer numbat ~]$ chmod +x bin/fakeshell
07:31 [summer numbat ~]$ bin/fakeshell
[summer numbat ~]$ logout
07:31 [summer numbat ~]$

Note the shell prompt changed.



Both test and test2 are able to become root when they use "sudo su - " but
they are not able to become root user when they issue "su -". How do I
restrict these users not to become root or any other user through sudo su -
and also these users should not able to change their or other users
passwords on this system.


Thanks & Regards

Ankush Grover




--

Cheers
John

-- spambait
1aaaaaaa coco merseine nu  Z1aaaaaaa coco merseine nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]