Re: configuring sudo access for some users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ankush grover wrote:
Hi friends,

I want to configure sudo access for some users on my system. I am currently
using FC7 on my system. What they require (I mean users) is to do all the
things except they cannot su/su- to become anyother user or root user, they

If you try to say they can do everything except ... London to a brick you will forget something.

If you say that can do these things [ ... ] then probably you will forget something too, but you will not have so much worry about them doing something they ought not.

You can probably further constrain them using selinux; you don't want them using anything that opens (for example) /etc/passwd or /etc/shadow or /etc/inittab for output.

You don't want them running any shells (so no sudo -i) unless you have them thoroughly constrained with selinux.

If they can sit at the console and boot manually, you have some problems to solve.

For example.
Can someone boot unauthorised media?
-- I could run Knoppix

Can users get a grub commandline?
Can users edit the grub boot menu?
-- allows access to a shell prompt
kernel /vmlinuz-2.6.18-8.1.15.el5 \
  ro root=/dev/VolGroup00/LogVol00 init=/bin/bash

otoh if you've lost a fight with the proverbial bus, then someone may well need to do one of these.

should not be able to change anybody's password or atleast root's password,
cannot modify /etc/sudoers and  etc/pam.d/su files . I have a script which
can extract all commands issued with "sudo" but if these users become root
then I won't be able to know who has done what.

AFAIK anyone who can modify the user base can add a "root" user.

Log to another machine, where they cannot interfere with the logs.



I have already restricted su/su - access by editing /etc/pam.d/su  and
uncommenting the below line:

# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid


Authentication on my system is done through LDAP but also Use MD5, Use
Shadow and Local Authorization is sufficient options are enabled so that
local user for ex myself can login without authenticating to LDAP. Users for
which i want to configure sudo access will all be authenticated through
LDAP.

Currently I have added these 2 lines in /etc/sudoers (I used visudo command
to edit this file)

test ALL=(ALL) ALL, !/usr/bin/su
test2 ALL=(ALL) ALL, !/usr/bin/su

You forgot runuser which goes to illustrate my point.

What about the user who writes this program and runs it with su?

07:30 [summer@numbat ~]$ echo exec -l /bin/csh | tee bin/fakeshell
exec -l /bin/csh
07:31 [summer@numbat ~]$ chmod +x bin/fakeshell
07:31 [summer@numbat ~]$ bin/fakeshell
[summer@numbat ~]$ logout
07:31 [summer@numbat ~]$

Note the shell prompt changed.



Both test and test2 are able to become root when they use "sudo su - " but
they are not able to become root user when they issue "su -". How do I
restrict these users not to become root or any other user through sudo su -
and also these users should not able to change their or other users
passwords on this system.


Thanks & Regards

Ankush Grover




--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux