HPE Community
Operating System - Linux
1827872 Members
1411 Online
109969 Solutions
New Discussion

sudoers

 
SOLVED
Go to solution
Ragni Singh
Super Advisor

‎06-01-2005 01:55 PM

‎06-01-2005 01:55 PM

sudoers

Check this out. A user created a section in the sudoers file. Since I am a very new sysadmin, can one please explain to me exactly what kind of access he will get once I add this section to our sudeors file. Will this give him high level authority to the production systems? especially the last section. What do !! mean before the command?

# Cmnd alias specification

Cmnd_Alias SYSTEMDOWN = /sbin/reboot, /usr/sbin/reboot, \

/sbin/halt, /sbin/poweroff, \

/sbin/shutdown, /sbin/init, /sbin/telinit



Cmnd_Alias SHELLS = /bin/sh, /bin/csh, /bin/ksh, \

/bin/tcsh, /usr/bin/rsh, \

/bin/zsh, /bin/ash, /bin/ash.static, \

/bin/bash, /bin/bash2, /bin/bsh,

Cmnd_Alias SU = /bin/su

# Defaults specification



# User privilege specification

testuser ALL=ALL,!SHELLS, !SYSTEMDOWN, !SU

0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎06-01-2005 04:17 PM

‎06-01-2005 04:17 PM

Re: sudoers

This section:

Looks to my untrained eye like the user can do anything he/she wants.

boot

Shutdown

This person is just a regular user?

SEP
Contact form that mail's me offline:
http://www.isnamerica.com/contactsep.shtml
If you use the form, please tell me why you are emailing!!
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎06-01-2005 04:57 PM

‎06-01-2005 04:57 PM

Re: sudoers

I take it as that user can't run (as root) any of the shutdown commands or shells.

in other words, the user can run other commands as root (that have been listed in sudoers already), EXCEPT those listed in SHELLS, SYSTEMDOWN or SU.

I don't see this as opening holes. I see it as closing a few if someone was doing dodgey sudoers.

But let me ask you this. Why does a user suddenly want you to add this, given that the machine has been running fine previously without it?

What reason did the user put forth for you to add such a line?
One long-haired git at your service...
0 Kudos
Reply
Ragni Singh
Super Advisor

‎06-01-2005 05:22 PM

‎06-01-2005 05:22 PM

Re: sudoers

okay so here I go. This user works in developemnt and is a Linux expert. He has been fighting us to give him root access and so far I have been sucessful. I have been able to contain him by giving him sudo access to do work and if he needs more, I have done it for him.

Let me ask you this.. if you was a sysadmin and this user asks for sudo access as shown above, would you give it to him? I want to be polite and give him the access that he needs to do the work but I under no circumstance would like to give him any high level access. With the stuff above, wont he be able to sudo -s and inherit root? What exactly would he be able to do and what wont he be able to do?

Please give me some good explanation as I will assign good points to all that assist.
0 Kudos
Reply
Gopi Sekar
Honored Contributor

‎06-01-2005 09:20 PM

‎06-01-2005 09:20 PM

Solution

Re: sudoers


It looks like you have a big security loop hole. here is what i gathered from man page of sudoers


SECURITY NOTES
It is generally not effective to "subtract" commands from ALL using the â !â operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS

Doesnâ t really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).


I hope you have understood what kind of security risk you are in now. please remove the access to him and if he really wants the access then take it up to the management and get their approval beforing giving access to him. Tomorrow no body should blame you for something which you have not done.

Rega
Never Never Never Giveup
Reply
Ragni Singh
Super Advisor

‎06-02-2005 02:28 AM

‎06-02-2005 02:28 AM

Re: sudoers

Thanks, you get a BIG 10.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.