ie we want to prevent cgerada from running tcpdump, but he must still be able to run all other commands as root using sudo. Further ,you do not want cgerada to have the ability to sudo -i
which effectively changes cgerada to the root user.
Normally with sudo you list the programs that the user is allowed to run with root privelages.
in this example you want to list and implement a program that is not allowed..
To edit the sudoers config file
type visudo [enter]
which will bring up the sudoers file in vi ready to edit..
add the following line
under the section were the Cmnd_Alias is commented out
add the following alias
Cmnd_Alias DISALLOWED = /user/tcpdump, /bin/bash
You can separate with commas all the commands that you want to disallow.
Im also disallowing /bin/bash simply because when a user types sudo -i a new bash session is started as root. by disallowing this my user will not be able to sudo -i.
Further down in the sudoers file were you see
root ALL=(ALL) ALL
add the following underneath
cgerada ALL=ALL, !DISALLOWED
The !(Bang) means the opposite ie without the !(bang) the user will have access to those programs.
by putting in a !(bang) in front the opposite is true.
save the file and exit by typing :x [enter]
Now look what happens if the user cgerada tries to run tcpdump
sudo tcpdump -n port 25
[sudo] password for cgerada:
Sorry, user cgerada is not allowed to execute '/usr/sbin/tcpdump -n port 25' as root on server.
now look what happens if the user tries to sudo -i
sudo -i
[sudo] password for cgerada:
Sorry, user cgerada is not allowed to execute '/bin/bash' as root on server
No comments:
Post a Comment