Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

sudoers configuration

Posted on 2010-09-03
11
Medium Priority
?
1,458 Views
Last Modified: 2013-12-04
Hi,

I am configuring sudoers so that some users can do "vi" and "nano" against any file except shadow and sudoers files. I have the following contents in /etc/sudoers file.

User_Alias USER1 = bob,smith

Cmnd_Alias EDIT_CMD =/bin/vi,/usr/bin/nano
Cmnd_Alias DENY_EDIT_CMD = /bin/vi /etc/shadow,/usr/bin/nano /etc/shadow,/bin/vi /etc/sudoers,/usr/bin/nano /etc/sudoers

USER1 ALL=!DENY_EDIT_CMD,EDIT_CMD

But still it is allowing bob and smith to run vi on /etc/shadow...

Any ideas where it is going wrong ...

The machine is running sudo-1.7
0
Comment
Question by:its_ns_04
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 33599864
It might be that your deny rule needs to include vi shadow,visudo, nano shadow, nano sudoers.
The other thing you can open vi
sudo vi
and then from within open any document without restriction.

Alternatively, you can grant them explicit files that they can open
i.e. /bin/vi /etc/httpd/conf/httpd.conf
etc.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 33599868
Afaik "!" should be used inside an alias.

So please try this:


Cmnd_Alias DENY_EDIT_CMD = !/bin/vi /etc/shadow, !/usr/bin/nano /etc/shadow, !/bin/vi /etc/sudoers, !/usr/bin/nano /etc/sudoers
...
USER1 ALL = DENY_EDIT_CMD, EDIT_CMD

wmp
0
 
LVL 1

Author Comment

by:its_ns_04
ID: 33599915
nopes,  it doesn;t work even though i mention in Cmnd_Alia. I have already tried that...

The user needs to be able to open a bunch of files, so, i cannot do the reverse, ie, only mention the allow list
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 79

Accepted Solution

by:
arnold earned 750 total points
ID: 33600982
Not sure it makes a difference whether the entries are individualy negated within the alias or the alias is negated as a whole. The issue might be the deny_this, allow_that:
This is not allowed, this is not allowed, this is allowed.
Which will take be enforced the deny or the allow part.


Have not tried to grant such access, but here is a suggestion?

Have you tried just having the deny rule.
USER1 ALL=(DENY_EDIT_CMD) ALL
or
USER1 ALL=(DENY_EDIT_CMD, EDIT_CMD)  ALL

I would think everything else will be treated as allowed.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch09_:_Linux_Users_and_Sudo

I've not seen mixing allow x, deny y and I am unsure which takes precedence.  Based on your experience, it does not seem that a deny rule overrides any other allow rule.


Try using visudo, when saving, it will check the file for correct syntax and may reflect an error in the formulation.

Don't know whether using group
%group allow x
USER_DEFINED_alias deny y might be something to test.
0
 
LVL 3

Expert Comment

by:gremwell
ID: 33604463
In addition to the issue mentioned by Arnold, there is another one: user can escape from vi to root shell by pressing :!<ENTER>. This particular feature can be disabled by invoking vi with -Z command line option.
0
 
LVL 62

Expert Comment

by:gheist
ID: 33610618
VISUAL=`which nano` visudo

you cannot edit sudoers, shadow copy is created from it by visudo.
0
 
LVL 79

Expert Comment

by:arnold
ID: 33612517
Any text file can be edited.  including shadow including any read-only file. When saving, one would use the ! to assert the write on the read-only file.
visudo like vipw are tools that would verify and prevent simultaneous access provided all admins use the tools to access the file.

Instead of using vi, you could setup a wrapper script to which you will grant these users access and within this script you would check what file they are trying to opening and then either grant or not.

0
 
LVL 1

Author Comment

by:its_ns_04
ID: 33619289
The previous problem is being solved.  But I came across one more interesting problem...

I wanted to grant user Bob the access, so that he can restart services of the server. Say I wish to give him access so that he can restart apache.

I configured as below:

User_Alias BOB =bob

Cmnd_Alias SERVICES_CMD = /sbin/service,/sbin/chkconfig,/etc/rc.d/init.d/httpd restart,/etc/rc.d/init.d/httpd stop,/etc/rc.d/init.d/httpd start
Cmnd_Alias SYSTEM_CMD = /bin/basename,/sbin/consoletype,/bin/env


BOB ALL=SERVICES_CMD, SYSTEM_CMD


When I run the command  "sudo /sbin/service  httpd restart" as Bob, it says:
/etc/init.d/functions: line 19: /sbin/consoletype: Permission denied
/etc/profile.d/lang.sh: line 46: /sbin/consoletype: Permission denied
/sbin/service: line 5: /bin/basename: Permission denied
/sbin/service: line 7: /bin/basename: Permission denied
/sbin/service: line 62: /bin/env: Permission denied



How to grant Bob sudo access so that he can restart http or other services ??
0
 
LVL 79

Expert Comment

by:arnold
ID: 33622490
grant bob access to execute apachctl /usr/bin/apachctl.

The /etc/init.d script has to run other commands to collect information.
0
 
LVL 1

Author Comment

by:its_ns_04
ID: 33622564
No, it doesn't work that way.. It gives me error as below:

/usr/sbin/apachectl: line 94: /usr/sbin/selinuxenabled: Permission denied
/usr/sbin/apachectl: line 97: /usr/sbin/httpd: Permission denied
0
 
LVL 1

Author Closing Comment

by:its_ns_04
ID: 33686623
It only provided me a hint...
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question