Sadanapalli, Pradeep Kumar (MED, TCS)
Pradeep.Sadanapalli at med.ge.com
Mon Jun 23 13:20:34 EDT 2003
I have got a problem as given below.
There is a user, say user1, to whom I want to give root access to the
command 'rpm'. At the sametime, say I want to block root access to a
command, say 'passwd' for example.
so when a user tries to execute, "#sudo rpm -ivh xyz.rpm" , he can
successfully execute this. But when a user tries to execute passwd as
"#sudo passwd root" , then the execution fails as the root access to the
command 'passwd' is denied via sudo. Fine and good.
But if the user copies the command 'passwd' as command 'rpm' overwriting
the existing 'rpm' command, say
" #cp /usr/bin/passwd /bin/rpm"
then he can execute the passwd command as root.
"#sudo rpm root" , then the command prompts for the change of root
passwd and the user can successfully change the root passwd.
This is only an example , where I am using specifically two commands
'rpm' and 'passwd' .
How can I avoid this?
What I want to do is....
I want to give a user sudo root access to all the commands under /bin
except a few. so what I am doing is ..editing the sudoers file as below
" user1 host-name=/bin/*
But still, now the user can execute the 'rpm' command as root, if he/she
copies the rpm command to another name in /bin . Can you suggest me a
way to do this without problem? How to fully block the ability to
execute a command as root, even if the user changes the name of the
executable to a different name of the command, to which root access is
provided via sudo ? Thanks in advance...
More information about the sudo-users