[sudo-users] How to questions regarding security
Jaeger at harthosp.org
Fri Oct 29 08:18:28 EDT 2004
I am developing a sudoers file for a Linux SUSE server. We want to
provide the user with the ability to run most all commands as root but
restrict specific ones that may cause system damage. In addition to
tighting security, this will help prevent accidents.
In all cases we want the user to have root access and restrict (only
some activities) so they can get to files owned by root copy files edit
appropriate files etc.
How can we:
1a.) Prevent them from altering the /var/log/sudo.log
How can I prevent them from copying this file to
Editing the copy, and then copying it back to
Current permissions on this file are *rw------ root
If they run "cp" as sudo and copy it to a
directory they own,
They are able to edit it. They could then use
sudo to copy it back.
I'm not sure we can disable the "cp" command in
sudo and am not sure of
the syntax of the cp command to restrict the copy
/usr/bin/cp /var/log/sudo.log (but what is second
part of the copy command)
1b) 1a. applies to the sudoers file as well.
(permissions) -rw-r----- 1 root root
889 Oct 28 09:46 sudoers
2) Prevent them from running forbidden commands from
a script. (access control)
As I understand sudo, once a shell is executed,
any command within that
shell is not logged by sudo nor does sudo's access control
I don't think we want to stop them from running
sh, ksh, csh, bash, etc. as their
application runs as root and may they need them.
However we don't want them to write a script that
contains commands that
we want to restrict. (i.e. chown), then run the
script via sudo.
Is there any way to prevent this?
3). Prevent sudo users from editing all files in a
directory (i.e. /etc)
(I don't want to define the files specifically
in the sudoers file).
4) Prevent a user from doing a "cd" to specific
5) Allow the user to use the "find" command but
Not allow the "*exec" option
The version of SUDO we are running is 1.6.1-51
Verson of SUSE is 8
Kernel 2.4.21-241-smp #1 SMP
Thank you all very much in advance.
Hartford, Connecticut, 06102
jaeger at harthosp.org
More information about the sudo-users