0
Is there a way to restrict the following commands sudo -i
or sudo -s
in the sudoers
file?
When I add !/usr/bin/sudo -i
or !/usr/bin/sudo -s
, sudo
still allows users to run the command.
0
Is there a way to restrict the following commands sudo -i
or sudo -s
in the sudoers
file?
When I add !/usr/bin/sudo -i
or !/usr/bin/sudo -s
, sudo
still allows users to run the command.
0
I know this is not a good answer, as I can't directly reply to your question, but in man sudoers
there's a section called Preventing Shell Escapes which I think may be of interest to you:
Once sudo executes a program, that program is free to do whatever it pleases, including run other programs. This can be a security issue since it is not uncommon for a program to allow shell escapes, which lets a user bypass sudo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs.
There are two basic approaches to this problem:
restrict Avoid giving users access to commands that allow the user to run arbitrary commands. Many editors have a restricted mode where shell escapes are disabled, though sudoedit is a better solution to running editors via sudo. Due to the large number of programs that offer shell escapes, restricting users to the set of programs that do not is often unworkable. noexec Many systems that support shared libraries have the ability to override default library functions by pointing an environment variable (usually LD_PRELOAD) to an alternate shared library. On such systems, sudo's noexec functionality can be used to prevent a program run by sudo from executing any other programs. Note, however, that this applies only to native dynamically-linked executables. Statically-linked executables and foreign executables running under binary emulation are not affected.
0
A blacklist in sudoers is almost certainly a waste of time. There are just too many workarounds.
For implementing any sort of restrictions a whitelist is the only practical approach. Even then be careful of permissions on any commands included in the whitelist (regular auditing of this will be required), any commands that may allow shell escapes, and any commands that can write new/existing files.
So, for example, these are bad ideas:
2And what about
sudo /bin/bash
orsudo /bin/zsh
orsudo /some/renamed/bash
? If you want to restrict users, you have to whitelist allowed commands. – Daniel B – 2017-05-19T17:50:07.500Are you saying that I should whitelist instead of having a blacklist? – alisacworld – 2017-05-19T21:39:20.107