[sudo-workers] How to questions regarding security
Dana Jaeger
Jaeger at harthosp.org
Thu Oct 28 11:59:33 EDT 2004
I am developing a sudoers file for a Linux SUSE server. We want to provide the user with the ability to run most all commands as root but restrict specific ones that may cause system damage. In addition to tighting security, this will help prevent accidents.
In all cases we want the user to have root access and restrict (only some activities) so they can get to files owned by root copy files edit appropriate files etc.
How can we:
1a.) Prevent them from altering the /var/log/sudo.log file.
How can I prevent them from copying this file to another directory,
Editing the copy, and then copying it back to /var/log/sudo.log?
Current permissions on this file are *rw------ root root sudo.log
If they run "cp" as sudo and copy it to a directory they own,
They are able to edit it. They could then use sudo to copy it back.
I'm not sure we can disable the "cp" command in sudo and am not sure of
the syntax of the cp command to restrict the copy specifically.
/usr/bin/cp /var/log/sudo.log (but what is second part of the copy command)
1b) 1a. applies to the sudoers file as well.
(permissions) -rw-r----- 1 root root 889 Oct 28 09:46 sudoers
2) Prevent them from running forbidden commands from a script. (access control)
As I understand sudo, once a shell is executed, any command within that
shell is not logged by sudo nor does sudo's access control affect them.
I don't think we want to stop them from running sh, ksh, csh, bash, etc. as their
application runs as root and may they need them.
However we don't want them to write a script that contains commands that
we want to restrict. (i.e. chown), then run the script via sudo.
Is there any way to prevent this?
3). Prevent sudo users from editing all files in a directory (i.e. /etc)
(I don't want to define the files specifically in the sudoers file).
4) Prevent a user from doing a "cd" to specific directories?
5) Allow the user to use the "find" command but
Not allow the "*exec" option
The version of SUDO we are running is 1.6.1-51
Verson of SUSE is 8
Kernel 2.4.21-241-smp #1 SMP
Thank you all very much in advance.
Regards
Dana Jaeger
Hartford Hospital
Hartford, Connecticut, 06102
jaeger at harthosp.org
More information about the sudo-workers
mailing list