Recipe 5.14 Restricting root s Abilities via sudo

Previous page
Table of content
Next page

Recipe 5.14 Restricting root's Abilities via sudo

5.14.1 Problem

You want to let a user run all commands as root except for specific exceptions, such as su.

5.14.2 Solution

Don't.

Instead, list all the permissible commands explicitly in /etc/sudoers. Don't try the reverse letting the user run all commands as root "except these few" which is prohibitively difficult to do securely.

5.14.3 Discussion

It's tempting to try excluding dangerous commands with the "!" syntax:

/etc/sudoers: smith  ALL = (root) !/usr/bin/su ...

but this technique is fraught with problems. A savvy user can easily get around it by renaming the forbidden executables:

smith$ ln -s /usr/bin/su gimmeroot smith$ sudo gimmeroot

Instead, we recommend listing all acceptable commands individually, making sure that none have shell escapes.

5.14.4 See Also

sudo(8), sudoers(5).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Image Processing with LabVIEW and IMAQ Vision
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
The Java Tutorial: A Short Course on the Basics, 4th Edition
GO! with Microsoft Office 2003 Brief (2nd Edition)
Ruby Cookbook (Cookbooks (OReilly))
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy