RE: Wheel and YUM!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Ian Blackwell wrote:
> Plant, Dean wrote:
>> I see your trying to protect your users from becoming root. You do
>> realise that with that sudo configuration a user can still run "sudo
>> /bin/bash" or any of the other shells to gain root access.
>> 
> Hi Dean,
> 
> I don't think that's correct.  One of the purposes of the sudoers file
> is you can limit users to specific programs, excluding them from
> others.  This entry, which I just tested in my CentOS5.2 box, allows
> the user tldap to use yum, but not /bin/bash:-
> tldap   ALL=/usr/bin/yum
> 
> Here's what happens when I try sudo as user tldap:-
> 2.6.18-92.1.1.el5.centos.plusxen[tldap@www ~]$ sudo yum update
> Loading "fastestmirror" plugin
> Loading "priorities" plugin
> Loading mirror speeds from cached hostfile
>  * base: rsync.atworks.co.jp
>  * updates: rsync.atworks.co.jp
>  * centosplus: mirror.exetel.com.au
>  * addons: mirror.exetel.com.au
>  * extras: mirror.exetel.com.au
> 0 packages excluded due to repository priority protections
> Setting up Update Process
> No Packages marked for Update
> 2.6.18-92.1.1.el5.centos.plusxen[tldap@www ~]$ sudo /bin/bash
> Sorry, user tldap is not allowed to execute '/bin/bash' as root on www
> 2.6.18-92.1.1.el5.centos.plusxen[tldap@www ~]$
> 

Yes you are correct in your example only yum would run and no exclude is
required. We can not see from his posting exactly what commands he is
allowing as he is calling groups.

What I was trying to point out is that if is he is disabling commands
like su then they must be enabled somewhere in the groups he is calling
and it is good practice to disable all the shells as well. All my
sudoers lines that call groups like he was trying to do always have a
!SU, !SHELLS to specifically deny root access.

Anyway I will shut up now as none of this will help fix his problem.

Dean
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux