[sudo-users] How to prevent editing sudoers-file

Michael Potter pottmi at gmail.com
Sun Nov 26 10:37:18 EST 2006 

Claude,

This question comes up in many forms many times.

This comes down to that you are trying to enumerate all the bad things that
a user could do and put in a rule to avoid them.  That strategy does not
work.  There are many other ways that your user could do malious things (and
not be logged).

The man page for sudo/sudoers makes is clear that sudo is not designed to be
secure for rules that 'enumerate badness'.  The man page states that you
need to reinforce such rules with policy.

Following softlinks is not a solution to the problem because there are so
many other ways to do malious things once a rule of this sort is added to
sudoers.  Adding such a feature to sudo would just serve to give system
administrators a false sense of security.

My guess is that you want a secure way to log everything a particular user
does as root.  Maybe someone else has a suggestion of a different tool that
will meet your needs.

--
Michael Potter


On 11/24/06, Claude Hohl <longneck at bluewin.ch> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello
>
> I want to give root-rights to a user with sudo. He should be able to
> do anything; but everything has to be logged. I prevented shell-
> escapes with noexec.
> So far, so good.
>
> Now the serious thing:
>
> How can i prevent the user from editing the /etc/sudoers file with sudo?
>
> Yeees, I could add the line:
> !/usr/bin/vi /etc/sudoers
>
> But have a look at this:
>
> ln -s /etc/sudoers ./mysudoers
> sudo vi ./mysudoers
>
> Ring any alarming bells?
>
> Obviously, I can't deny him making a softlink to the sudoers file -
> this doesn't require root rights. And I can't deny him to use vi
> (even then, there are soo many other texteditors who would do the
> trick if executed by sudo).
>
> The user could gain more rights, or remove some restrictions defined
> in the sudoers file.
>
> Sudo doesn't trace softlinks. I think that's a SERIOUS fault.
>
> Or is there any possibility to make the /etc/sudoers file only
> editable by visudo (and no, absolutely no write-rights to root)?
>
>
> Thanks for your help
>
> Claude
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
>
> iD8DBQFFZ30pkPADilYGTHwRApoSAJwPZprhH/flf0+3G7UEMALCZV+fCgCcCAt5
> rDCqZH30b6P23RDAf+syhso=
> =iqk3
> -----END PGP SIGNATURE-----
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list