Home / ubuntu / Questions / 259293
Accepted
Ricardo Altamirano
Asked: 2013-02-22 08:00:07 +0800 CST

Will this sudo rule allow a user to update the system and nothing more?

  • 772

I want to design a sudo rule that will allow the user ricardo to update the system using aptitude, but prevent him from using sudo to run any other command (he's a problem user). Are there any pitfalls to this rule that I'm missing?

ricardo  ALL=(root) /usr/bin/aptitude

Ricardo only uses aptitude, not apt-get. Also, I don't have Ubuntu installed anywhere at the moment, so I understand that /usr/bin/aptitude might not be the exact right file to allow.

If there are pitfalls to this rule, how can I improve it?

updates

3 Answers

  1. Best Answer

    This command will restrict the user from using aptitude for anything but updating the repository cache and performing a safe upgrade of the system. 

    ricardo ALL=(root) /usr/bin/aptitude update, /usr/bin/aptitude safe-upgrade

    A similar command will allow the user to perform a full upgrade, but nothing more:

    ricardo ALL=(root) /usr/bin/aptitude update, /usr/bin/aptitude full-upgrade

    Per aptitude's documentation (10.04), safe-upgrade:

    Upgrades installed packages to their most recent version. Installed packages will not be removed unless they are unused

    In contrast, full-upgrade:

    Upgrades installed packages to their most recent version, removing or installing packages as necessary. This command is less conservative than safe-upgrade and thus more likely to perform unwanted actions. However, it is capable of upgrading packages that safe-upgrade cannot upgrade.

    Use your best judgement for which the user should be allowed to run. If you're unsure, use the first rule, which only allows safe-upgrade.

    Note that if you want to allow a user to install packages (which greatly reduces any benefit to security, but hypothetically), you need to include a * after the aptitude command, i.e.

    ricardo ALL=(root) /usr/bin/aptitude update, /usr/bin/aptitude safe-upgrade, /usr/bin/aptitude install *

    Otherwise, you will receive an error message that user ricardo is not allowed to run the command /usr/bin/aptitude install <package_name>.

    • 5

  2. You can use sudo -l to see which commands a user is allowed to run. For instance, to see which commands ricardo can run:

    sudo -ll -U ricardo

    to see whether he can run aptitude,

    sudo -ll -U ricardo /usr/bin/aptitude

    this will either print the command name as it's expanded by sudo, or exit with code 1 if the user is not allowed to use the command.

    This should work in any recent debian-based system for you to test; the syntax is not Ubuntu-specific.

    source: man sudo

    • 4

  3. I can not actually see anything wrong with that sudoers line. Unfortunately, I have not messed around with sudo's configuration settings that much, so in that case, my advice may not be reliable. Fortunately, what I can do is give you a line that I do know is safe:

    ricardo ALL=/usr/bin/aptitude

    This line is guaranteed to only let ricardo execute aptitude as root, as long as ricardo is not a member of a sudo-enabled group, such as sudo or admin.

    Source: 8 Ways to Tweak and Configure Sudo on Ubuntu - How-to Geek.

    • 2