Solved

sudoers configuration

Posted on 2010-09-03
11
1,376 Views
Last Modified: 2013-12-04
Hi,

I am configuring sudoers so that some users can do "vi" and "nano" against any file except shadow and sudoers files. I have the following contents in /etc/sudoers file.

User_Alias USER1 = bob,smith

Cmnd_Alias EDIT_CMD =/bin/vi,/usr/bin/nano
Cmnd_Alias DENY_EDIT_CMD = /bin/vi /etc/shadow,/usr/bin/nano /etc/shadow,/bin/vi /etc/sudoers,/usr/bin/nano /etc/sudoers

USER1 ALL=!DENY_EDIT_CMD,EDIT_CMD

But still it is allowing bob and smith to run vi on /etc/shadow...

Any ideas where it is going wrong ...

The machine is running sudo-1.7
0
Comment
Question by:its_ns_04
11 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 33599864
It might be that your deny rule needs to include vi shadow,visudo, nano shadow, nano sudoers.
The other thing you can open vi
sudo vi
and then from within open any document without restriction.

Alternatively, you can grant them explicit files that they can open
i.e. /bin/vi /etc/httpd/conf/httpd.conf
etc.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 33599868
Afaik "!" should be used inside an alias.

So please try this:


Cmnd_Alias DENY_EDIT_CMD = !/bin/vi /etc/shadow, !/usr/bin/nano /etc/shadow, !/bin/vi /etc/sudoers, !/usr/bin/nano /etc/sudoers
...
USER1 ALL = DENY_EDIT_CMD, EDIT_CMD

wmp
0
 
LVL 1

Author Comment

by:its_ns_04
ID: 33599915
nopes,  it doesn;t work even though i mention in Cmnd_Alia. I have already tried that...

The user needs to be able to open a bunch of files, so, i cannot do the reverse, ie, only mention the allow list
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 33600982
Not sure it makes a difference whether the entries are individualy negated within the alias or the alias is negated as a whole. The issue might be the deny_this, allow_that:
This is not allowed, this is not allowed, this is allowed.
Which will take be enforced the deny or the allow part.


Have not tried to grant such access, but here is a suggestion?

Have you tried just having the deny rule.
USER1 ALL=(DENY_EDIT_CMD) ALL
or
USER1 ALL=(DENY_EDIT_CMD, EDIT_CMD)  ALL

I would think everything else will be treated as allowed.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch09_:_Linux_Users_and_Sudo

I've not seen mixing allow x, deny y and I am unsure which takes precedence.  Based on your experience, it does not seem that a deny rule overrides any other allow rule.


Try using visudo, when saving, it will check the file for correct syntax and may reflect an error in the formulation.

Don't know whether using group
%group allow x
USER_DEFINED_alias deny y might be something to test.
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33604463
In addition to the issue mentioned by Arnold, there is another one: user can escape from vi to root shell by pressing :!<ENTER>. This particular feature can be disabled by invoking vi with -Z command line option.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:gheist
ID: 33610618
VISUAL=`which nano` visudo

you cannot edit sudoers, shadow copy is created from it by visudo.
0
 
LVL 76

Expert Comment

by:arnold
ID: 33612517
Any text file can be edited.  including shadow including any read-only file. When saving, one would use the ! to assert the write on the read-only file.
visudo like vipw are tools that would verify and prevent simultaneous access provided all admins use the tools to access the file.

Instead of using vi, you could setup a wrapper script to which you will grant these users access and within this script you would check what file they are trying to opening and then either grant or not.

0
 
LVL 1

Author Comment

by:its_ns_04
ID: 33619289
The previous problem is being solved.  But I came across one more interesting problem...

I wanted to grant user Bob the access, so that he can restart services of the server. Say I wish to give him access so that he can restart apache.

I configured as below:

User_Alias BOB =bob

Cmnd_Alias SERVICES_CMD = /sbin/service,/sbin/chkconfig,/etc/rc.d/init.d/httpd restart,/etc/rc.d/init.d/httpd stop,/etc/rc.d/init.d/httpd start
Cmnd_Alias SYSTEM_CMD = /bin/basename,/sbin/consoletype,/bin/env


BOB ALL=SERVICES_CMD, SYSTEM_CMD


When I run the command  "sudo /sbin/service  httpd restart" as Bob, it says:
/etc/init.d/functions: line 19: /sbin/consoletype: Permission denied
/etc/profile.d/lang.sh: line 46: /sbin/consoletype: Permission denied
/sbin/service: line 5: /bin/basename: Permission denied
/sbin/service: line 7: /bin/basename: Permission denied
/sbin/service: line 62: /bin/env: Permission denied



How to grant Bob sudo access so that he can restart http or other services ??
0
 
LVL 76

Expert Comment

by:arnold
ID: 33622490
grant bob access to execute apachctl /usr/bin/apachctl.

The /etc/init.d script has to run other commands to collect information.
0
 
LVL 1

Author Comment

by:its_ns_04
ID: 33622564
No, it doesn't work that way.. It gives me error as below:

/usr/sbin/apachectl: line 94: /usr/sbin/selinuxenabled: Permission denied
/usr/sbin/apachectl: line 97: /usr/sbin/httpd: Permission denied
0
 
LVL 1

Author Closing Comment

by:its_ns_04
ID: 33686623
It only provided me a hint...
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now