[sudo-users] Restrict shells but allow execution of init scripts
Patrick Spinler
spinler.patrick at mayo.edu
Thu Jun 30 12:32:50 EDT 2011
On 6/30/11 11:24 AM, JR Aquino wrote:
> On Jun 30, 2011, at 9:13 AM, Robert Petkus wrote:
>
>> Folks,
>> I'm looking for a way to restrict users from launching a root shell using sudo but would like to allow the execution of system init shell scripts. What would be the most logical means to proceed?
>>
>> Currently, I have config lines like so:
>> Cmnd_Alias SHELLS = /usr/bin/*sh*, /sbin/*sh*, /bin/*sh*
>> POWERUSERS ..., !SHELLS
>
> I'm not sure how you could have assurances that the 'init' script couldn't execute / land the user in a shell of its own?
>
You don't mention which OS(es) this is for, but I'd ask if the system
init shell scripts not all in /etc/init.d/ ?? Given that, this should work:
POWERUSERS ALL=(root) /etc/init.d/*
Or on a system that uses a facility to invoke init scripts, just give
rights to the facility, e.g.:
Current redhat:
POWERUSERS ALL=(root) /sbin/service *
Current ubuntu:
POWERUSERS ALL=(root) /sbin/initctl *
Current Solaris:
POWERUSERS ALL=(root) /usr/sbin/svcadm *
-- Pat
More information about the sudo-users
mailing list