4

sudo to disallow certain commands

view full story
linux-howto

http://www.linuxquestions.org – Hello there I'm trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh. Is there a way to allow users to run anything they want except shells. I realise this is a default permit which inherently is defective, but I'm not convinced that going through the 1559 executable commands of my (as yet incomplete) built system to decided on the likely 1000+ commands I would want (HowTos)

robot1's picture
Submitted by robot1 on 01/11/2011 – Made popular on 01/11/2011

Stories similar to sudo to disallow certain commands

Hello all,

I manage some HP-UX 11.31 servers. I have some users that have sudo access. All of them belong to the 'sudoers' user group.

First, I am NOT looking for rock star security. We just at a glance want to prevent "sudo su -" and it is a policy here to always use sudo when running commands and we all want that. Ideally we would like to log something if someone does try "sudo su -" to please obey the culture and never become root so we can reverse engineer all commands run and what happened.

Hello!

Do anyone have idea how to block switching to root if user have full sudo?

One way is in sudoers file block use of "su", but still it`s possible with sudo -i or sudo -s , sudo bash etc. Other way is create alias on sudoers and permit only specific commands for user.

Any ideas?

sudo cannot open /etc/sudoers 52 weeks 17 hours ago

sudo does not work. I have installed Arch onto a USB key, using BTRFS. The output of "sudo" is:

$ sudo sudo: unable to stat /etc/sudoers: Permission denied sudo: no valid sudoers sources found, quitting sudo: unable to initialize policy plugin

$ ls -l /etc/sudoers -r--r----- 1 root root 2849 May 18 15:00 /etc/sudoers

$ lsattr /etc/sudoers --------------- /etc/sudoers

$ strace -u ross sudo true

Running sudo commands 13 weeks 6 days ago

The utility sudo runs executables as root or another user. The command cd is not an executable, it is command that is built into the shell so you can not run it via sudo. [by hawkmage]

I have a script run from a non-privaleged users' crontab that invokes some commands using sudo. Except it doesn't. The script runs fine but the sudo'ed commands silently fail.

The script runs perfectly from a shell as the user in question. Sudo does not require a password. The user in question has (root) NOPASSWD: ALL access granted in /etc/sudoers. Cron is running and executing the script.

Beside the usual setup where I create a normal user foo, I want to run a few d-i preseed/late_command commands as that foo user.

My initial thought was to simply call those commands with sudo, e.g: d-i preseed/late_command in-target echo "<pwd>" | sudo -Si <command>. This works for some sort of commands.

Whenever I try to do anything at all that requires my password it returns this:

u7ur7l3@ubuntu:~$ sudo sudo: /usr/lib/sudo/sudoers.so must be owned by uid 0 sudo: fatal error, unable to load plugins u7ur7l3@ubuntu:~$

So I can't install anything from the Software Center / package manager or run any commands in terminal that require my password.

apostrophe in ProcessBuilder 13 weeks 6 days ago

I need to build the following command in linux using ProcessBuilder:

sudo packit -t UDP -S 1000 -D 1200 -s 127.0.0.1 -d 192.168.1.1 -c 5 -n 12345 -p '0x 80 64 45 78 00 00 27'

I tried with the following code:

commands.add("sudo"); commands.add("packit"); commands.add("-t"); commands.add("UDP"); commands.add("-S"); commands.add("1000"); commands.add("-D"); commands.add("1200"); commands.add("-s"