[sudo-users] How to questions regarding security

Dana Jaeger Jaeger at harthosp.org
Fri Oct 29 08:18:28 EDT 2004


I am developing a sudoers file for a Linux SUSE server.  We want to
provide the user with  the ability to run most all commands as root but
restrict specific ones that may cause system damage. In addition to
tighting  security,  this will help prevent accidents.

In all cases we want the user to have root access and restrict (only
some activities) so they can get to files owned by root copy files edit
appropriate files etc.

How can we:
              1a.) Prevent them from altering the /var/log/sudo.log
                      How can I prevent them from copying this file to
another directory, 
                     Editing the copy, and then copying it back to
	     Current permissions on this file are *rw------  root   
root   sudo.log
                     If they run "cp" as sudo and copy it to a
directory they own,
                     They are able to edit it.   They could then use
sudo to copy it back.
                     I'm not sure we can disable the "cp" command in
sudo and am not sure of 
                     the syntax of the cp command to restrict the copy
                     /usr/bin/cp /var/log/sudo.log (but what is second
part of the copy command) 

                  1b) 1a. applies to the sudoers file as well.
                        (permissions) -rw-r-----    1 root     root    
     889 Oct 28 09:46 sudoers

                  2) Prevent them from running forbidden commands from
a script.  (access control)
                      As I understand sudo,  once a shell is executed,
any command within that 
	      shell is not logged by sudo nor does sudo's access control
affect them.
                      I don't think we want to stop them from running
sh, ksh, csh, bash, etc. as their 
                      application runs as root and may they need them. 

                      However we don't want them to write a script that
contains commands that  
                      we want to restrict. (i.e. chown), then run the
script via sudo.
                      Is there any way to prevent this? 

                 3).  Prevent sudo users from editing all files in a
directory (i.e. /etc)
                       (I don't want to define the files specifically
in the sudoers file).

                 4)   Prevent a user from doing a "cd" to specific

                 5)   Allow  the user to use the "find" command but
                        Not allow the "*exec" option

The version of SUDO we are running is  1.6.1-51
Verson of SUSE is 8 
Kernel 2.4.21-241-smp #1 SMP

Thank you all very much in advance.


Dana Jaeger
Hartford Hospital
Hartford, Connecticut, 06102
jaeger at harthosp.org 

More information about the sudo-users mailing list