7

We need to add few users to the sudoers file on Linux. They should be able to to anything root can except the following:

  • Should not modify, read, delete /nfsshare/config
  • Should not modify, read, delete /etc/passwd
  • Should not mount anything
  • Should not change root password
  • Should not edit /etc/sudoers or run visudo to add other users

Is this possible?

terdon
  • 242,166
sagar
  • 259

4 Answers4

25

I am, basically, in agreement with Wissam Al-Roujoulah on this.

We need to add few users to the sudoers file

Do you, really need to do this? Maybe there are other ways, using acl or regular UNIX permissions.

As Wissam Al-Roujoulah has already pointed out, trying to "blacklist" certain commands, is in reality a really bad idea (read below from man sudoers, emphasis mine):

Note, however, that using a ‘!’ in conjunction with the built-in
 ALL alias to allow a user to run “all but a few” commands rarely
 works as intended

Instead you can specify a "whitelist", e.g. the actual commands the users are allowed to run. Something like this:

user1 ALL=/sbin/shutdown

The above will allow user1 to shut down. You can add more commands in a comma separated list.

Read more about this here.

  • 3
    To illustrate how pointless it is to try to disable specific commands: you can try to block shutdown, but if you forget to block similar functionality in init/systemctl(/reboot) or still allow sudo su - or sudo sh or sudo script_that_invokes_shutdown.sh by omission, you really haven't accomplished anything. – Rhymoid Dec 11 '16 at 00:10
  • 6
    @Rhymoid: Don't forget sudo gcc my-evil-file.c; sudo a.out. Lather, rinse, repeat with Python, Perl, Ruby, Bash, etc. – Kevin Dec 11 '16 at 02:04
  • 17
    My current favorite: if "command" is blacklisted, just add another sudo and it'll work: sudo sudo command. – Chris Kuehl Dec 11 '16 at 06:55
13

I guess that is almost impossible, because you have to prevent the user from using any editor, even though that wouldn't prevent him because he can install another one or move the binary to any other location and use it.

The main point you can't add user to sudoers and give him all permission but some.

You have to do it in the Opposite way.

Wissam Roujoulah
  • 3,229
4

su/sudo access is opt-in, not opt-out. Once they are able to get a root shell they can circumvent any other protections you put in place. If they have specific things that need to be run and managing the sudoers file is too complicated (which is probably the best approach to take in general), consider writing small single-purpose binaries that launch the thing and then set the setuid flag on them instead.

fluffy
  • 975
  • Don't write custom binaries, use the option of sudo to restrict the user to a certain command – Ferrybig Dec 11 '16 at 15:17
  • 1
    The reason I suggested custom binaries is because you can't set a shell script setuid, and managing the permissions within the sudoers file can be pretty perilous on its own. But point well taken - I'll amend the answer. – fluffy Dec 12 '16 at 05:05
0

Did you look at using SELinux? Which distribution are you using?

It might be possible to create a new SELinux user and give him only the needed privileges(access to roles). Tt will be an opt-in, so you will need to list everything that the user needs to do.

Bigon
  • 2,162