Restrict sudo -i or sudo -s commands from sudoers file

Is there a way to restrict the following commands sudo -i or sudo -s in the sudoers file?

When I add !/usr/bin/sudo -i or !/usr/bin/sudo -s, sudo still allows users to run the command.

alisacworld

Posted 2017-05-19T16:49:51.647

Reputation: 1

2And what about sudo /bin/bash or sudo /bin/zsh or sudo /some/renamed/bash? If you want to restrict users, you have to whitelist allowed commands. – Daniel B – 2017-05-19T17:50:07.500

Are you saying that I should whitelist instead of having a blacklist? – alisacworld – 2017-05-19T21:39:20.107

Answers

I know this is not a good answer, as I can't directly reply to your question, but in man sudoers there's a section called Preventing Shell Escapes which I think may be of interest to you:

Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass sudo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs.

There are two basic approaches to this problem:
   restrict  Avoid giving users access to commands that allow the user to
             run arbitrary commands.  Many editors have a restricted mode
             where shell escapes are disabled, though sudoedit is a better
             solution to running editors via sudo.  Due to the large
             number of programs that offer shell escapes, restricting
             users to the set of programs that do not is often unworkable.

   noexec    Many systems that support shared libraries have the ability
             to override default library functions by pointing an
             environment variable (usually LD_PRELOAD) to an alternate
             shared library.  On such systems, sudo's noexec functionality
             can be used to prevent a program run by sudo from executing
             any other programs.  Note, however, that this applies only to
             native dynamically-linked executables.  Statically-linked
             executables and foreign executables running under binary
             emulation are not affected.

niglesias

Posted 2017-05-19T16:49:51.647

Reputation: 199

A blacklist in sudoers is almost certainly a waste of time. There are just too many workarounds.

For implementing any sort of restrictions a whitelist is the only practical approach. Even then be careful of permissions on any commands included in the whitelist (regular auditing of this will be required), any commands that may allow shell escapes, and any commands that can write new/existing files.

So, for example, these are bad ideas:

allowing sudo access to execute a script owned by the user
giving sudo access to "less"
giving sudo access to "cp"

Matt P

Posted 2017-05-19T16:49:51.647

Reputation: 111