Ping a Specific Port

Question

KdgDev

Asked: 2019-12-08 13:20:14 +0800 CST2019-12-08 13:20:14 +0800 CST 2019-12-08 13:20:14 +0800 CST

For specific user, refuse sudo immediately, do not ask for password

772

For a specific user or list of specific users, I want to make it so they are not even asked for a password but just directly refused.

Although this is after I've allowed them 1 specif command. so the sudoers file would look something like this(example):

testuser ALL = (root) NOPASSWD:NOEXEC: /bin/ls, <REFUSE_EVERYTHING_ELSE_WITHOUT_ASKING_FOR_PASSWORD>

Is this at all possible? Basically, what I want to achieve can be written as:

Allow this 1 command listed in the custom sudoers file, refuse everything else without even asking for a password, if it is this particular user.

Is that possible?

I've gone over this entire page: https://www.sudo.ws/man/1.8.15/sudoers.man.html

And haven't found it. It's just the password asking part. I want that gone. Everything else in terms of properly checking permission, I want that to stay.

Is that possible?

EDIT: The solution was something like this:

##
# User alias specification (Example user, must actually exist)
##
User_Alias      Defaults:TEST_USER = test_user

##
# Cmnd alias specification (Example command, multiple wildcards possible)
##
Cmnd_Alias      TEST_CMD = /bin/ls */home/test_user/

# Don't ask for password on this particular user, just apply the rules.
Defaults:TEST_USER !authenticate

TEST_USER ALL = (root) NOPASSWD:NOEXEC: TEST_CMD

I'm just gonna add here: I read the comment on how this setting would allow an attacker to determine which user can execute sudo and which cannot, and that sounds like the attacker is already at the point where they're in my system and able to jump between accounts. Sounds like they got some kind of elevated access if they're at that point. That sounds worse than 1 limited account being compromised, it sounds like they can access all accounts at this point.

Perhaps I'll realize it later, and be all "oh dammit, that's right" but I don't see it right now. I would honestly prefer it be explained. Should I make a separate question for it? Googling this particular option does no yield many results, it seems relatively unknown.

That being said, this particular situation I created is for a user that doesn't have a password at all. So I think an attacker in that case might try a password a few times, maybe a purpose-crafted string even, and then conclude "oh this user doesn't have a password I can't do anything with this user" and move on. Just the same as with disabling authentication. At least now they can't enter a purpose crafted string at all.

Is that horribly naive?

1 Answers

Voted

Thomas N · Answer 1 · 2019-12-10T08:39:30+08:00

Best Answer

Thomas N

2019-12-10T08:39:30+08:002019-12-10T08:39:30+08:00

According to the sudo FAQ documentation at https://www.sudo.ws/troubleshooting.html you can use !authenticate to disable passwords completely on a per-user or per-host basis, so something like

Defaults  !authenticate

In your /etc/sudoers file should work.

1

For specific user, refuse sudo immediately, do not ask for password

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?