ankush grover wrote:
Hi friends,
I want to configure sudo access for some users on my system. I am currently
using FC7 on my system. What they require (I mean users) is to do all the
things except they cannot su/su- to become anyother user or root user, they
If you try to say they can do everything except ... London to a brick
you will forget something.
If you say that can do these things [ ... ] then probably you will
forget something too, but you will not have so much worry about them
doing something they ought not.
You can probably further constrain them using selinux; you don't want
them using anything that opens (for example) /etc/passwd or /etc/shadow
or /etc/inittab for output.
You don't want them running any shells (so no sudo -i) unless you have
them thoroughly constrained with selinux.
If they can sit at the console and boot manually, you have some problems
to solve.
For example.
Can someone boot unauthorised media?
-- I could run Knoppix
Can users get a grub commandline?
Can users edit the grub boot menu?
-- allows access to a shell prompt
kernel /vmlinuz-2.6.18-8.1.15.el5 \
ro root=/dev/VolGroup00/LogVol00 init=/bin/bash
otoh if you've lost a fight with the proverbial bus, then someone may
well need to do one of these.
should not be able to change anybody's password or atleast root's password,
cannot modify /etc/sudoers and etc/pam.d/su files . I have a script which
can extract all commands issued with "sudo" but if these users become root
then I won't be able to know who has done what.
AFAIK anyone who can modify the user base can add a "root" user.
Log to another machine, where they cannot interfere with the logs.
I have already restricted su/su - access by editing /etc/pam.d/su and
uncommenting the below line:
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
Authentication on my system is done through LDAP but also Use MD5, Use
Shadow and Local Authorization is sufficient options are enabled so that
local user for ex myself can login without authenticating to LDAP. Users for
which i want to configure sudo access will all be authenticated through
LDAP.
Currently I have added these 2 lines in /etc/sudoers (I used visudo command
to edit this file)
test ALL=(ALL) ALL, !/usr/bin/su
test2 ALL=(ALL) ALL, !/usr/bin/su
You forgot runuser which goes to illustrate my point.
What about the user who writes this program and runs it with su?
07:30 [summer@numbat ~]$ echo exec -l /bin/csh | tee bin/fakeshell
exec -l /bin/csh
07:31 [summer@numbat ~]$ chmod +x bin/fakeshell
07:31 [summer@numbat ~]$ bin/fakeshell
[summer@numbat ~]$ logout
07:31 [summer@numbat ~]$
Note the shell prompt changed.
Both test and test2 are able to become root when they use "sudo su - " but
they are not able to become root user when they issue "su -". How do I
restrict these users not to become root or any other user through sudo su -
and also these users should not able to change their or other users
passwords on this system.
Thanks & Regards
Ankush Grover
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
