[sudo-users] How to prevent editing sudoers-file
Claude Hohl
longneck at bluewin.ch
Fri Nov 24 18:15:53 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello
I want to give root-rights to a user with sudo. He should be able to
do anything; but everything has to be logged. I prevented shell-
escapes with noexec.
So far, so good.
Now the serious thing:
How can i prevent the user from editing the /etc/sudoers file with sudo?
Yeees, I could add the line:
!/usr/bin/vi /etc/sudoers
But have a look at this:
ln -s /etc/sudoers ./mysudoers
sudo vi ./mysudoers
Ring any alarming bells?
Obviously, I can't deny him making a softlink to the sudoers file -
this doesn't require root rights. And I can't deny him to use vi
(even then, there are soo many other texteditors who would do the
trick if executed by sudo).
The user could gain more rights, or remove some restrictions defined
in the sudoers file.
Sudo doesn't trace softlinks. I think that's a SERIOUS fault.
Or is there any possibility to make the /etc/sudoers file only
editable by visudo (and no, absolutely no write-rights to root)?
Thanks for your help
Claude
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFFZ30pkPADilYGTHwRApoSAJwPZprhH/flf0+3G7UEMALCZV+fCgCcCAt5
rDCqZH30b6P23RDAf+syhso=
=iqk3
-----END PGP SIGNATURE-----
More information about the sudo-users
mailing list