Home / server / Questions / 36759
Accepted
devin
Asked: 2009-07-07 18:30:11 +0800 CST

Editing sudoers file to restrict a user's commands

  • 772

Is it possible to edit the sudoers file so a user can use sudo for any command except for a specified one? I reverse is true, I believe, that the sudoers file can be setup so that a user can only execute a given list of commands.

EDIT: the commands I really want to take away are halt and reboot... this makes me think there are special system calls for halt and reboot. Can you take system calls away from a user? If not, is it because the unix permission system abstracts over system calls neglecting this?

linux sudo

9 Answers

  1. Best Answer

    Another way to look at it is that if the users have largely unrestricted root access they can easily gain full root access.

    While you might be able to work something out it would be easily circumvented.

    SElinux though is a possible way, although it does take a lot to learn.

    • 5

  2. Yes and no... You can prevent a user from running a specific file by preceding the file with a bang (!), however you cannot stop a user from copying the file to another location and then running it from there.

    User_Alias    ADMINS = peter, bob, bunny, %operator

ADMINS        ALL    = !/usr/bin/su, !SHELLS

    Granting Access to Specific Files as Another User

    • 4

  3. To do what you want (keep the user form running halt, reboot and shutdown), you're going to have to look into SElinux stuff to prevent the user from making those syscalls. Otherwise the user will just run /bin/sh first and then run /bin/halt without going through sudo.

    • 3

  4. Log everything they do via sudo, presumably, you have some way to get the point across to not do it again.

    Defaults logfile=/var/log/sudolog

    will log all commands they run, google a bit for more info.

    • 3

  5. If the user really wants to reboot, he will find a way. sudo -s, sudo -i, sudo $EDITOR /etc/sudoers... can be used to remove your restrictions.

    And on Unix-like systems you are allowed to reboot the system as long as you're root (uid 0). If you do find a way to restrict those system calls, one could do this:

    user$ echo b | sudo tee /proc/sysrq-trigger

    or a variation thereof. Or reboot by causing a kernel panic. Or...

    Finally, having root access usually gives you the ability to remove whatever restrictions are in place.

    • 2

  6. sure, as root call visudo and prevent 'user' from running /sbin/halt:

    user ALL=(ALL) NOPASSWD: !/sbin/halt
    • 1

  7. The following line should let the user "jim" run everything but /usr/bin/kill and /usr/bin/su.

    jim          ALL= !/usr/bin/kill,!/usr/bin/su
    • 1

  8. There is a risk in doing this way: there are often may ways to do the same action. For example, telnit 6 or init 6 does a reboot too. There might be a way to force the kernel to core dump and reboot too.

    • 1

  9. This is untested and YMMV but what about setting up a cmd_list of the commands you dont want run and then use !cmd_list for the specified group/user?

    I dont have access to test this and just looked at the manual page online at Sudoers Manual so some experts will correct me here if I am wrong

    • 0