Possible solution to sudoers file, comments please. - Linux

This is a discussion on Possible solution to sudoers file, comments please. - Linux ; *Wanted input from the security group, read the comp newsgroup mostly and ask that followups go there, if you don't mind. Will track your replies wherever they go. Thank you. Thanks guys for helping me to understand the wheel group ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Possible solution to sudoers file, comments please.

  1. Possible solution to sudoers file, comments please.

    *Wanted input from the security group, read the comp newsgroup mostly and
    ask that followups go there, if you don't mind. Will track your replies
    wherever they go. Thank you.

    Thanks guys for helping me to understand the wheel group and the sudoers
    file. I will skip the wheel stuff, it really does not seem to apply much
    to my FC3 setup. This is sort of what I had in mind for my user to be
    able to do:

    What I want for my user to do:

    Use halt, reboot, shutdown, mount, and tcpdump commands.
    Read all log files.

    With sudo password:
    All root privileges.

    This was not a simple thing to figure out and this is what I came up
    with. Would someone look this over and see if it seems okay or do you
    find any "holes" in it?

    I had no problems with viewing most logs except for the httpd logs. I
    changed permissions on /var/log/httpd as follows:
    drwxr-xr-x 2 root root 4096 Jun 1 06:55 httpd

    This lets me view the logs. I also added the root path to my own in my
    $HOME/.bashrc file so that stuff like tcpdump would work:

    PATH=
    $PATH:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin
    :/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin

    export PATH

    Now I took a really good sample sudoers file:
    http://www.courtesan.com/sudo/sample.sudoers

    And used some of it to make my own sudoers file with visudo. This seems
    to grant me the access that I need or want as a regular user with admin
    privileges:
    ---------------------------------------------------------------------
    [ohmster@ohmster etc]$ sudo cat sudoers
    # sudoers file.
    #
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the sudoers man page for the details on how to write a sudoers
    file.
    #

    # Host alias specification

    # User alias specification
    User_Alias ADMIN = ohmster

    # Cmnd alias specification
    Cmnd_Alias KILL = /usr/bin/kill
    Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
    Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
    Cmnd_Alias HALT = /usr/sbin/halt
    Cmnd_Alias REBOOT = /usr/sbin/reboot
    Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
    /usr/local/bin/tcsh, /usr/bin/rsh, \
    /usr/local/bin/zsh
    Cmnd_Alias SU = /usr/bin/su
    Cmnd_Alias VIPW = /usr/bin/passwd, /usr/bin/chsh, \
    /usr/bin/chfn
    Cmnd_Alias NETVIEW = /usr/sbin/tcpdump, /bin/traceroute
    Cmnd_Alias EDIT = /usr/bin/vim, /bin/cat, /usr/bin/less, /bin/more \
    /usr/bin/pico, /bin/touch, /bin/grep, /bin/awk \
    /bin/sed


    # Defaults specification

    # User privilege specification
    root ALL=(ALL) ALL

    # part time sysadmins may run anything but need a password
    ADMIN ALL = ALL

    # admin may run specified commands without password
    ADMIN ALL = NOPASSWD: NETVIEW, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,
    EDIT

    # Uncomment to allow people in group wheel to run all commands
    # %wheel ALL=(ALL)

    # Same thing without a password
    # %wheel ALL=(ALL) NOPASSWD: ALL

    # Samples
    # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
    # %users localhost=/sbin/shutdown -h now
    ---------------------------------------------------------------------

    What do you think, any bad stuff here? I also log in with ssh, would like
    to be able to restrict this sudo stuff to logins on my own LAN which uses
    the IP range 192.168.0.1 192.168.0.255. Is this something that can be
    done from the sudoers file?

    I put the EDIT group in there in order to run these commands as root for
    editing or viewing files that are permissioned for root only, but this
    really does not seem to work as I intended. Might have to take that EDIT
    group out.

    Hey thanks guys, you have all been a really good help with this.
    --
    ~Ohmster
    "Read Ohmster" in subject, bypass spam filter.
    ohmster /a/t/ newsguy dot com

  2. Re: Possible solution to sudoers file, comments please.

    Ohmster wrote:



    > I put the EDIT group in there in order to run these commands as root for
    > editing or viewing files that are permissioned for root only, but this
    > really does not seem to work as I intended. Might have to take that EDIT
    > group out.


    Sounds like a plan, if you allow /usr/bin/vim without password, what is
    there to stop someone from doing a 'sudo /usr/bin/vim', and starting a
    (root privileged) shell using :!bash ?

    >
    > Hey thanks guys, you have all been a really good help with this.


  3. Re: Possible solution to sudoers file, comments please.

    Jack Masters wrote in news:xLidnQp8TapXYjzfRVn-
    hQ@is.co.za:

    > Sounds like a plan, if you allow /usr/bin/vim without password, what is
    > there to stop someone from doing a 'sudo /usr/bin/vim', and starting a
    > (root privileged) shell using :!bash ?


    Well I knew that there would be *something* wrong with this approach so I
    will take out the EDIT section as it did not do what I wanted to do anyway,
    not to mention that this would be a gaping hole. Not so much on this system
    as I am the only one that uses it for the most part, but in general for
    setting up a systems point of view. Thanks for the feedback, Jack.

    --
    ~Ohmster
    "Read Ohmster" in subject, bypass spam filter.
    ohmster /a/t/ newsguy dot com

  4. Re: Possible solution to sudoers file, comments please.

    Jack Masters wrote in news:xLidnQp8TapXYjzfRVn-
    hQ@is.co.za:

    > Sounds like a plan, if you allow /usr/bin/vim without password, what is
    > there to stop someone from doing a 'sudo /usr/bin/vim', and starting a
    > (root privileged) shell using :!bash ?


    That was a stupid idea, really. These programs like vim are programs that
    anyone on the system can use anyway. I had wanted it to be that if I called
    up a program like vim to edit a file and used the sudo command to prefix
    it, like this:

    sudo vi /etc/hosts

    (vi aliases to vim on my system.)

    It would run vi as root with root read and write access to the file, then I
    could edit such a file without having to invoke an su shell. This is really
    stupid for the reason that you pointed out, one could possibly escape to a
    full blown root shell and this is a practice to be avoided for sure. Bad
    idea, the EDIT stuff in my sudoers file has been removed. Thanks again for
    pointing this out, Jack. I don't really need such a feature, I guess, I can
    do this like so anyway:
    su -c "vi /etc/hosts"

    Yeah I am learning and at least trying to do it right.
    --
    ~Ohmster
    "Read Ohmster" in subject, bypass spam filter.
    ohmster /a/t/ newsguy dot com

  5. Re: Possible solution to sudoers file, comments please.

    On Sat, 04 Jun 2005 16:33:37 +0000, Ohmster thoughtfully wrote:

    [snip]
    >
    > I put the EDIT group in there in order to run these commands as root for
    > editing or viewing files that are permissioned for root only, but this
    > really does not seem to work as I intended. Might have to take that EDIT
    > group out.
    >
    > Hey thanks guys, you have all been a really good help with this.


    Not bad. I think you have too many commands in your EDIT, especially like
    touch and sed. I'd pick my favorite editor and go with only that, for me
    it's gedit. More and less aren't necessary in the sudoers because
    you can pipe output to those, or alias a command to those.

    I added a LIST for safer list type commands and a TOOLS for a couple of
    common root permission. I didn't add a group for sudoer privilege just
    the individual user. If you have enough users for a sudoers group then
    you really need to fine tune sudoers (more restrictive) and overall system
    security.

+ Reply to Thread