Tuesday, February 4, 2014

Disallowing programs through Sudo

You want to grant user cgerada root privelages to all programs except one, lets use tcpdump in this example.
ie we want to prevent cgerada from running  tcpdump,  but he must still be able to run all other commands as root using sudo. Further ,you do not want cgerada to have the ability to sudo -i
which effectively changes cgerada to the root user.

Normally with sudo you list the programs that the user is allowed to run with root privelages.
in this example you want to list and implement a program that is not allowed..

To edit the sudoers config file
type visudo  [enter]
which will bring up the sudoers file in vi ready to edit..

add the following line

under the section were the Cmnd_Alias is commented out
add the following alias

Cmnd_Alias DISALLOWED = /user/tcpdump, /bin/bash

You can separate with commas all the commands that you want to disallow.

Im also disallowing /bin/bash simply because when a user types sudo -i a new bash session is started as root. by disallowing this my user will not be able to sudo -i.

Further down in the sudoers file were you see
root   ALL=(ALL)    ALL

add the following underneath


The !(Bang) means the opposite  ie without the !(bang) the user will have access to those programs.
by putting in a !(bang) in front the opposite is true.

save the file and exit by typing :x [enter]

Now look what happens if the user cgerada tries to run tcpdump

sudo tcpdump -n port 25
[sudo] password for cgerada: 
Sorry, user cgerada is not allowed to execute '/usr/sbin/tcpdump -n port 25' as root on server.

now look what happens if the user tries to sudo -i

sudo -i
[sudo] password for cgerada: 
Sorry, user cgerada is not allowed to execute '/bin/bash' as root on server

No comments: