0

I have line in script which is working, but not working from command line.

echo "User ALL = NOPASSWD: ALL, !/bin/su" | sudo tee -a /etc/sudoers



[user@localhost ~]$ echo "test ALL = NOPASSWD: ALL, !/bin/su" | sudo tee -a /etc/sudoers
bash: !/bin/su": event not found
[user@localhost ~]$

Edit: I am trying to add a sudo user with no permission to su command and sudo user have password less access to root using sudo -i. I was just checking each command in that script, to see how they work in command line.

I found a workaround for this in command line, that I have to use "'!'"/bin/su. So can someone help to explain why this didn't work in command line?

ctrl-alt-delor
  • 27,993
Panda
  • 111
  • 3
    First of all, why are you editing sudoers file in this fashion instead of visudo ? second, it's wrong format - no need for ! . Third, it should be username ALL = NOPASSWD: /bin/someprogram , no comma. I've no idea what you're trying to do here, but it's wrong approach in the first place. If your test user gets compromised, you basically give attacker access to su binary – Sergiy Kolodyazhnyy Jan 15 '17 at 07:25
  • I was not sure visudo will work with script(will it work?). ! which I believe will negate the command followed by that and user won't be able to execute it. Edited question for clarity. – Panda Jan 15 '17 at 07:55
  • 2
    @FoodPanda You never want to script edits against /etc/sudoers. It's a file that you, as the admin, should edit manually and carefully... with visudo. – Kusalananda Jan 15 '17 at 07:56
  • @Kusalananda: It was a server hardening script which will add a new user and disable root access. – Panda Jan 15 '17 at 07:58
  • @FoodPanda A new user doesn't by default have root access anyway, and no access to sudo either. Adding that line to sudoers will give them root access through sudo, and the possibility to edit the sudoers file themselves (if I'm reading it right). – Kusalananda Jan 15 '17 at 08:05
  • 1
    su does not give special powers to root. So preventing someone with root capabilities from using it is pointless. – ctrl-alt-delor Jan 15 '17 at 14:51

3 Answers3

6

[Please read carefully the comments that go with your question as it appears that you are not doing things the right way with sudo]

In bash, there is a mechanism called "history substitution" which is enabled on the command line. It allows you to insert all or part of a previous command (hence the "history") in the command you are editing.

The character that triggers history substitution is !. For example !WORD is replaced with the last command beginning with WORD. If you have no such command, bash will complain with the error message you got: bash: !WORD: event not found.

If you have to type a ! without activating the history substitution mechanisme, you have to either escape it \! or enclose it with single quotes '!'.

For example: echo 'User ALL = NOPASSWD: ALL, !/bin/su' | ...

If history expansion is troublesome for you, you can also disable it with set +H, type your commands without quoting the !, and re-enable it later with set -H.

xhienne
  • 17,793
  • 2
  • 53
  • 69
2
  1. su does not give special powers to root. So preventing someone with root capabilities from using it is pointless.
  2. Only edit sudo files with visudo: create a new sudo file to augment the original and put it in /etc/sudoers.d/.
  3. You need to escape the !: "bla bla bla \! bla bla" or 'bla bla bla ! bla bla'. Single quote will stop all evaluations of the string.
ctrl-alt-delor
  • 27,993
1

I believe that is will not help you to prevent the user with sudo privilege to execute su command, because any user with sudo privilege can copy the su from it's default directory then execute it, as always you can't give a user a full sudo privilege then prevent him from doing specific things, because he will always find a way to get around the restriction, you have to do it in the opposite, give him some privilege.

Wissam Roujoulah
  • 3,229