[sudo-workers] How to questions regarding security

Dana Jaeger Jaeger at harthosp.org
Thu Oct 28 11:59:33 EDT 2004

I am developing a sudoers file for a Linux SUSE server.  We want to provide the user with  the ability to run most all commands as root but restrict specific ones that may cause system damage. In addition to tighting  security,  this will help prevent accidents.

In all cases we want the user to have root access and restrict (only some activities) so they can get to files owned by root copy files edit appropriate files etc.

How can we:
              1a.) Prevent them from altering the /var/log/sudo.log file.
                      How can I prevent them from copying this file to another directory, 
                     Editing the copy, and then copying it back to /var/log/sudo.log?
	     Current permissions on this file are *rw------  root    root   sudo.log
                     If they run "cp" as sudo and copy it to a directory they own,
                     They are able to edit it.   They could then use sudo to copy it back.
                     I'm not sure we can disable the "cp" command in sudo and am not sure of 
                     the syntax of the cp command to restrict the copy specifically.
                     /usr/bin/cp /var/log/sudo.log (but what is second part of the copy command) 

                  1b) 1a. applies to the sudoers file as well.
                        (permissions) -rw-r-----    1 root     root          889 Oct 28 09:46 sudoers

                  2) Prevent them from running forbidden commands from a script.  (access control)
                      As I understand sudo,  once a shell is executed, any command within that 
	      shell is not logged by sudo nor does sudo's access control affect them.
                      I don't think we want to stop them from running sh, ksh, csh, bash, etc. as their 
                      application runs as root and may they need them.  
                      However we don't want them to write a script that contains commands that  
                      we want to restrict. (i.e. chown), then run the script via sudo.
                      Is there any way to prevent this? 

                 3).  Prevent sudo users from editing all files in a directory (i.e. /etc)
                       (I don't want to define the files specifically in the sudoers file).

                 4)   Prevent a user from doing a "cd" to specific directories?

                 5)   Allow  the user to use the "find" command but
                        Not allow the "*exec" option

The version of SUDO we are running is  1.6.1-51
Verson of SUSE is 8 
Kernel 2.4.21-241-smp #1 SMP

Thank you all very much in advance.


Dana Jaeger
Hartford Hospital
Hartford, Connecticut, 06102
jaeger at harthosp.org

More information about the sudo-workers mailing list