13

sudo: blocking specific commands

view full story
linux-howto

http://www.unix.com – Hello all, I manage some HP-UX 11.31 servers. I have some users that have sudo access. All of them belong to the 'sudoers' user group. Right now, sudo is configured as wide open: %sudoers ALL=(ALL) ALL We are using sudo mostly for auditing purposes - when a user wants to run a privileged command, I want to see exactly what they are doing in syslog. I have some sneaky users however who are running '/usr/sbin/smh' and also just 'su -' to gain a root shell. I don't like this because I cannot see what they're doing. What lines can I add to the /etc/sudoers file to block this group from ru (HowTos)

more's picture
Submitted by more on 03/10/2012 – Made popular on 03/10/2012

Stories similar to sudo: blocking specific commands

how to deny "sudo su" 1 year 17 weeks ago

I have several servers where some users require to be sudoers to work. The problem is that when sudoers can run the command sudo su and login as user root. It seems very risky to run that command.

I tried with Command Alias ​​in the file /etc/sudoers but it has not worked. Is there any way that they are sudoers but not run the command sudo su?

sudo does not work. I have installed Arch onto a USB key, using BTRFS. The output of "sudo" is:

$ sudo sudo: unable to stat /etc/sudoers: Permission denied sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin

$ ls -l /etc/sudoers -r--r----- 1 root root 2849 May 18 15:00 /etc/sudoers

$ lsattr /etc/sudoers --------------- /etc/sudoers

$ strace -u ross sudo true

Run as group fails (sudo -g) 45 weeks 3 days ago

I would like to run a command with temporary group membership but it seems that I don't have permission to do that.

Hello!

Do anyone have idea how to block switching to root if user have full sudo?

One way is in sudoers file block use of "su", but still it`s possible with sudo -i or sudo -s , sudo bash etc. Other way is create alias on sudoers and permit only specific commands for user.

Any ideas?

How does the sudoers work? 34 weeks 1 day ago

During an installation, as usual, we create our main user account, and then we can do sudo commands with it without problem. Now, when I created another account, and I wanted to do sudo, it gave me error that the account is not in the sudoers file. In that file I found out that users in %admin and %sudo groups can gain root privileges.

My /etc/sudoers file has following entries:-

## Allow root to run any commands anywhere root ALL=(ALL) ALL agupta ALL= /sbin/,/usr/sbin/,/bin/,/bin/cat /etc/sudoers ADMINS ALL= !/usr/bin/su, !SHELLS alice ALL =(%Children) /sbin/, /usr/sbin/, /bin/

alice is a member of the Children group; please find below are details for alice:-

[alice@localhost ~]$ id alice uid=1005(alice) gid=1004(C

I've seen this question in different forms on various forums. Each time, the result never seems to be a full answer. I would like to prevent users from being able to sudo to root while maintaining the ability to sudo to other users. As tedious a task as this is I already know I can lock out editing the sudoers file and from running sudo bash|sh|etc.

The good news is that I got sudoers via ldap working on Red Hat Directory Server. The package is sudo-1.7.2p1.

4 Tricks with sudo 1 year 49 weeks ago

I think that sudo is become a wide used command with Ubuntu, where you don’t even have a root password, before that probably it was used only in some data-centers to restrict access to some commands.

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file.