sudoers configuration

Hi,

I am configuring sudoers so that some users can do "vi" and "nano" against any file except shadow and sudoers files. I have the following contents in /etc/sudoers file.

User_Alias USER1 = bob,smith

Cmnd_Alias EDIT_CMD =/bin/vi,/usr/bin/nano
Cmnd_Alias DENY_EDIT_CMD = /bin/vi /etc/shadow,/usr/bin/nano /etc/shadow,/bin/vi /etc/sudoers,/usr/bin/nano /etc/sudoers

USER1 ALL=!DENY_EDIT_CMD,EDIT_CMD

But still it is allowing bob and smith to run vi on /etc/shadow...

Any ideas where it is going wrong ...

The machine is running sudo-1.7
LVL 1
its_ns_04Asked:
Who is Participating?
 
arnoldConnect With a Mentor Commented:
Not sure it makes a difference whether the entries are individualy negated within the alias or the alias is negated as a whole. The issue might be the deny_this, allow_that:
This is not allowed, this is not allowed, this is allowed.
Which will take be enforced the deny or the allow part.


Have not tried to grant such access, but here is a suggestion?

Have you tried just having the deny rule.
USER1 ALL=(DENY_EDIT_CMD) ALL
or
USER1 ALL=(DENY_EDIT_CMD, EDIT_CMD)  ALL

I would think everything else will be treated as allowed.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch09_:_Linux_Users_and_Sudo

I've not seen mixing allow x, deny y and I am unsure which takes precedence.  Based on your experience, it does not seem that a deny rule overrides any other allow rule.


Try using visudo, when saving, it will check the file for correct syntax and may reflect an error in the formulation.

Don't know whether using group
%group allow x
USER_DEFINED_alias deny y might be something to test.
0
 
arnoldCommented:
It might be that your deny rule needs to include vi shadow,visudo, nano shadow, nano sudoers.
The other thing you can open vi
sudo vi
and then from within open any document without restriction.

Alternatively, you can grant them explicit files that they can open
i.e. /bin/vi /etc/httpd/conf/httpd.conf
etc.
0
 
woolmilkporcCommented:
Afaik "!" should be used inside an alias.

So please try this:


Cmnd_Alias DENY_EDIT_CMD = !/bin/vi /etc/shadow, !/usr/bin/nano /etc/shadow, !/bin/vi /etc/sudoers, !/usr/bin/nano /etc/sudoers
...
USER1 ALL = DENY_EDIT_CMD, EDIT_CMD

wmp
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
its_ns_04Author Commented:
nopes,  it doesn;t work even though i mention in Cmnd_Alia. I have already tried that...

The user needs to be able to open a bunch of files, so, i cannot do the reverse, ie, only mention the allow list
0
 
gremwellCommented:
In addition to the issue mentioned by Arnold, there is another one: user can escape from vi to root shell by pressing :!<ENTER>. This particular feature can be disabled by invoking vi with -Z command line option.
0
 
gheistCommented:
VISUAL=`which nano` visudo

you cannot edit sudoers, shadow copy is created from it by visudo.
0
 
arnoldCommented:
Any text file can be edited.  including shadow including any read-only file. When saving, one would use the ! to assert the write on the read-only file.
visudo like vipw are tools that would verify and prevent simultaneous access provided all admins use the tools to access the file.

Instead of using vi, you could setup a wrapper script to which you will grant these users access and within this script you would check what file they are trying to opening and then either grant or not.

0
 
its_ns_04Author Commented:
The previous problem is being solved.  But I came across one more interesting problem...

I wanted to grant user Bob the access, so that he can restart services of the server. Say I wish to give him access so that he can restart apache.

I configured as below:

User_Alias BOB =bob

Cmnd_Alias SERVICES_CMD = /sbin/service,/sbin/chkconfig,/etc/rc.d/init.d/httpd restart,/etc/rc.d/init.d/httpd stop,/etc/rc.d/init.d/httpd start
Cmnd_Alias SYSTEM_CMD = /bin/basename,/sbin/consoletype,/bin/env


BOB ALL=SERVICES_CMD, SYSTEM_CMD


When I run the command  "sudo /sbin/service  httpd restart" as Bob, it says:
/etc/init.d/functions: line 19: /sbin/consoletype: Permission denied
/etc/profile.d/lang.sh: line 46: /sbin/consoletype: Permission denied
/sbin/service: line 5: /bin/basename: Permission denied
/sbin/service: line 7: /bin/basename: Permission denied
/sbin/service: line 62: /bin/env: Permission denied



How to grant Bob sudo access so that he can restart http or other services ??
0
 
arnoldCommented:
grant bob access to execute apachctl /usr/bin/apachctl.

The /etc/init.d script has to run other commands to collect information.
0
 
its_ns_04Author Commented:
No, it doesn't work that way.. It gives me error as below:

/usr/sbin/apachectl: line 94: /usr/sbin/selinuxenabled: Permission denied
/usr/sbin/apachectl: line 97: /usr/sbin/httpd: Permission denied
0
 
its_ns_04Author Commented:
It only provided me a hint...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.