0
Is there any way I can disable users from creating new shell instances through sudoers file? also disable them to set any environment variables?
I would like to write a line in the sudoers file something like:
someuser ALL=(ALL) NOPASSWD: ALL, NOTSETENVVARS: ALL, NONEWSHELLINSTANCES: ALL
where: NOTSETENVVARS means the instruction to no set new env vars NONEWSHELLINSTANCES means no new shell instances
Thanks in advance
sevillo
Posted 2014-11-24T17:38:01.540
Reputation: 11
1
I'd not try to combine this with ALL. If you're trying to restrict a user, blacklist them first then whitelist carefully.
Restrict shell escapes with NOEXEC:
Check the man page for details: https://www.sudo.ws/man/1.8.16/sudoers.man.html#Preventing_shell_escapes
Restrict environment variables (not fully disable to my knowledge) with creative use of env_reset and secure_path.
Example:
Defaults env_reset
Defaults secure_path
someuser ALL=(root) NOPASSWD: SOMESPECIFICCOMMANDS
someuser ALL=(root) NOEXEC: /usr/bin/vim
Also, buy Michael W. Lucas's book Sudo Mastery. It is great! (He has some better examples, but I thought it better not to plagiarize them.)
CoreyJJohnson
Posted 2014-11-24T17:38:01.540
Reputation: 126
0
No.
Controls like this do not exist because they can be trivially circumvented by the user installing / executing their own shell program without the restrictions or with the restrictions patched out.
There is no way to know if a program is a shell or not.
Moreover, the sudoers file only controls the utility sudo, not anything the user executes before running sudo, or after they have elevated.
Darth Android
Posted 2014-11-24T17:38:01.540
Reputation: 35 133