13
11
How can I limit my user to execute selective commands only. I have a user tomc in tomc group. I need this user to be sudo user and then to have restricted bash. I have tried following code in /etc/sudoers file, but its not working as user is able to execute other commands like mkdir, rm
%tomc ALL=/bin/bash,/usr/bin/vim /*
newbie17
Posted 2014-06-11T08:35:20.637
Reputation: 187
17
You might be going at this the wrong way. Instead of giving a user a 'restricted' bash shell, you should only give them access to the commands they would need to run as root. For example, in your sudoers file:
tomc ALL=(root) /usr/bin/vim /etc/myapp.conf
tomc ALL=(root) /usr/bin/less /var/log/myapp/*.log
Be careful with allowing users to run vim as root. Vim has a lot of features built-in, like escapes to shell and to the ability to run commands from within vim. Depending on your distribution, you might have sudoedit available. This works the same as a normal Vim, except it's designed to handle shell escapes and such.
mtak
Posted 2014-06-11T08:35:20.637
Reputation: 11 805
7
*Neither of those lines are safe.* As you mention, vim can run arbitrary shell commands. And the second line will probably allow less /var/log/myapp/../../../etc/shadow! According to my experiments using sudo safely is hard! But if you can avoid *s and use sudoedit instead of vim then you might be ok.
Avoiding * isn't enough! Once in less as the root user, try typing !tail /var/log/secure. How's that feel? Study the NOEXEC tag. But take @joeytwiddle's message to heart: sudo safety is hard indeed. – Bruno Bronosky – 2018-01-31T17:40:57.520
3
On my Synology Diskstation running DSM 6 only admin users can ssh in consistently (non-admin users have shell as /sbin/nologin in /etc/passwd -- you can set this to /bin/sh to temporarily allow ssh, but on reboot the /etc/passwd file is reset). For this reason some kind of sudo restriction is needed for an account which otherwise exists only to execute e.g. /sbin/poweroff. The following lines in /etc/sudoers worked for me:
# Allow guestx user to remote poweroff
guestx ALL=(ALL) !ALL
guestx ALL=NOPASSWD: /sbin/poweroff
Translation: disallow all commands, then allow only the desired command (without asking for password in this case).
With this configuration sudo asks for the password and then fails for commands other than the whitelisted one:
guestx@ds:~$ sudo su -
Password:
Sorry, user guestx is not allowed to execute '/bin/su -' as root on ds.
guestx@ds:~$
robm
Posted 2014-06-11T08:35:20.637
Reputation: 131
3Although use of sudo can be restricted to particular commands, this can be tricky and requires some trust. If you do not trust the user, then giving them any sudo access is a bad idea. It will either give them root privileges or give them a focused app to attack to get root privileges. Letting someone run
sudo bashis equivalent in most ways to having the root password. From asudo bashshell they can run any admin command, install or delete software, delete users and directories, etc. – Paul – 2014-06-11T09:15:54.377@Paul Can u suggest me better and practical options for this ? – None – 2014-06-11T09:44:11.350
First, this is off topic on stack overflow. Better places to ask include superuser, or askubuntu, or linux&unix. First figure out exactly what you want to allow tomc to do. tomc should be allowed to do _____ but not ________. Then ask. Sudo is for commands that require root (admin) priv. He can run bash already without running it as root. – Paul – 2014-06-11T09:50:12.443