[sudo-users] Restrict shells but allow execution of init scripts

Patrick Spinler spinler.patrick at mayo.edu
Thu Jun 30 12:32:50 EDT 2011


On 6/30/11 11:24 AM, JR Aquino wrote:
> On Jun 30, 2011, at 9:13 AM, Robert Petkus wrote:
> 
>> Folks,
>> I'm looking for a way to restrict users from launching a root shell using sudo but would like to allow the execution of system init shell scripts.  What would be the most logical means to proceed?
>>
>> Currently, I have config lines like so:
>> Cmnd_Alias      SHELLS = /usr/bin/*sh*, /sbin/*sh*, /bin/*sh*
>> POWERUSERS    ..., !SHELLS
> 
> I'm not sure how you could have assurances that the 'init' script couldn't execute / land the user in a shell of its own?
> 

You don't mention which OS(es) this is for, but I'd ask if the system
init shell scripts not all in /etc/init.d/ ?? Given that, this should work:

POWERUSERS	ALL=(root)	/etc/init.d/*

Or on a system that uses a facility to invoke init scripts, just give
rights to the facility, e.g.:

Current redhat:

POWERUSERS	ALL=(root)	/sbin/service *

Current ubuntu:

POWERUSERS	ALL=(root)	/sbin/initctl *

Current Solaris:

POWERUSERS	ALL=(root)	/usr/sbin/svcadm *

-- Pat



More information about the sudo-users mailing list