[NCLUG] Sudo

Bob Proulx bob at proulx.com
Thu Aug 10 09:35:59 MDT 2006 

Onyx wrote:
> When using 'sudo', does anyone know of an efficient way to setup the 
> sudoers file so that a particular group (ie: wheel) can execute all root 
> commands, but cannot become root (through the means 'su' or any other form).

If you only allow the authorized users to execute a specific set of
commands and those commands do not allow further access, such as
spawning a shell, then that should be sufficient.  And pretty much
that is the only way to do it.  This is what I do on my systems.  For
example something like this:

  Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown -r now
  Cmnd_Alias      APACHECTL = \
          /etc/init.d/apache2 start, \
          /etc/init.d/apache2 stop, \
          /etc/init.d/apache2 restart, \
          /etc/init.d/apache2 reload, \
          /etc/init.d/apache2 force-reload
  ADMINS          ALL= APACHECTL, SHUTDOWN
  User_Alias     ADMINS = bob

> I tried defining something like the following, but it didn't seem to do 
> the trick.

Often people have tried to do something like this.  But it does not
work.  At best it is a reminder that it is undesirable to spawn a
shell (because the command is not tracked in that case) but it cannot
be enforced.  For the people who are conscientious this is not
needed.  For the others it is not effective.

> %wheel  ALL=ALL, !SU, !SHELLS

Because ALL is allowed in the above I could simply do the following.

  sudo vi safefile
  :sh

Or I could do this:

  cp /bin/bash /tmp/bash
  sudo /tmp/bash

Basically imagine a filelist with every file path currently on the
system added with every *potential* file path that may exist on the
system at some point in the future.  The latter is an infinite set of
paths.  From infinitity subtract a few known su and shell locations.
The set that is left behind is still an infinite set.

At best you might be able to audit /bin/, /usr/bin/, /sbin/,
/usr/sbin/, and develop a list of commands that you don't want the
user to run from those directories.  (Don't include vi, vim, emacs,
xemacs, or any other that can spawn shells.)  Then authorize those
entire directories and blacklist out the commands that you don't want
users to run.  Then whenever you install additional software update
the lists.  But I think this is an impractical amount of work.

Bob

More information about the NCLUG mailing list