[sudo-users] restricting access to commands

Bob Proulx bob at proulx.com
Sat May 27 00:51:13 EDT 2006 

Micha wrote:
> Yesterday i was puzzling about restricting access to some
> programs for this account only. For example, i hope it can 
> live without 'su' (even X and desktop session ?), and i can
> setup anything more with sudo instead. 

Hmm...  Why restrict it from su?  Without knowing a password a user
cannot do anything with it.

Meanwhile X and such do not use su so you can still run those without
su.  But personally I would not try to block it.

> I also don't want this account to be able list dotfiles at all.

That will be very difficult.  If you are trying to lock a user down
this tightly then best to install a kiosk instead and lock the user
into the kiosk mode.  Trap them entirely would be the only way.

> I was thinking about replacing these commands (su and ls)
> with custom aliases or functions, but my first trials lead to
> lots of confusing errors,

Lot's of confusing errors for other users on the machine.  Plus many
other program will need ls on the machine and replacing it with a
restricted one is almost certainly going to cause problems.

> Does sudo rely on 'su' ? 

No.  Sudo is a completely independent implementation.  But both
commands do similar things to change privilege levels.  They are
similar but different.

> What is the difference at all between sudo and su -c ? 

Probably the biggest difference is:

  * su -c uses root's password
  * sudo uses the user's password

But also of importance is:

  * su -c has no restriction on what command is run
  * sudo checks the operation against what is allowed in sudoers
  * sudo logs the operation

> What would be a good approach to prohibit certain commands ?

It is very hard to prohibit only certain commands.  If that is
required it is much better to only allow certain commands and prohibit
everything else.

Best is to set a non-guessable root password and then never use it.
Use sudo after that point.  But of course some things such as console
crash recovery may still need the root login but you will know that
and so you are okay there.

Best is to only allow certain commands through sudo instead of trying
to prohibit commands.

But the only completely safe computer is one that is powered off.
However those are not very usable computers.  So we compromise and
implement different levels of security based upon what we need from
the system.  In a coffee shop trapping the user in a kiosk computer is
probably perfect.  For a server on the hostile Internet I run
firewalls, anti-intrusion checking, accounting, encryption, etc.  For
my work machine on a private network I have a high level of physical
security but low a level computer security.  You have to physically
touch the machine but at that point you can do pretty much anything.

Everything needs judgement as to what level is needed.

Bob

More information about the sudo-users mailing list