Restrict sudo Users Running Specific Commands for Apple’s OS X, BSD and GNU Linux in various ways. This is a good way to increase security. It is not that, always we want to Restrict sudo Users Running Specific Commands for Not Relying, but mostly it is to prevent unknowing done errors which basically can destroy a system. If one changes the group ownership to Apache (www-data) with sudo command while at root, it will be impossible in most cases to revive the system.
Restrict sudo Users Running Specific Commands : Understanding the Difference of Philosophy in GNU Linux and UNIX
In UNIX, there is WHEEL GROUP. We talked about this UNIX Wheel Group in details in previously published article. Why we mentioned, re-enabling Wheel Group increases the control on users was explained. GNU Linux, by Philosophy do not like that way.
As we said there, by running visudo command, you can restrict by specific commands you want to restrict :
---
1 2 3 | # restrict NetworkManager ; add these lines user ALL=!/etc/init.d/NetworkManager restart user ALL=!/etc/init.d/network restart |
But if someone runs :
1 | sudo bash |
This is the basic reason we mentioned about Wheel Group, see Arch Linux Wiki :
1 | https://wiki.archlinux.org/index.php/sudo |
Practically, the methods people mentions are for casual users; a serious user with definite target can manipulate the file permissions. There is another known method :
If we edit the /etc/sudoers.d file instead of modifying /etc/sudoers; If your user is called user and your host is called host you could add these lines to /etc/sudoers.d :
1 2 | user host = (root) NOPASSWD: /sbin/shutdown user host = (root) NOPASSWD: /sbin/reboot |
If password is protected to allow, obviously except the root none will able to run any commands except which commands are whitelisted.
Restrict sudo Users Running Specific Commands But Do Not Get Locked
In case, you are locked, you need to know about pkexec command :
1 2 3 4 5 6 7 8 9 | http://manpages.ubuntu.com/manpages/precise/en/man1/pkexec.1.html #Example pkexec visudo -f /etc/sudoers.d/shutdown pkexec chown root:root /etc/sudoers.d/shutdown pkexec chmod 0440 /etc/sudoers.d/shutdown # the permission will become ls -l /etc/sudoers.d/shutdown # output -r--r----- 1 root root 86 Jul 16 15:37 /etc/sudoers.d/shutdown |
You can check for Cmnd_Alias function :
1 | https://help.ubuntu.com/community/Sudoers |
But, sudo assumes we trust our users, that is GNU Philosophy :
1 2 3 4 5 6 7 8 9 10 11 12 | visudo # Edit to Defaults logfile=/var/log/sudo.log Defaults timestamp_timeout=0 # Add Alias Cmnd_Alias NVSU = /usr/sbin/visudo Cmnd_Alias NSU = /bin/su Cmnd_Alias NSHELLS = /bin/sh,/bin/bash Cmnd_Alias NYUM = /usr/bin/yum Cmnd_Alias NPASSWD = /usr/bin/passwd # enforce rules %group_name ALL=(ALL) ALL, !NVSU, !NSU, !NSHELLS,!NPASSWD |
Whenever you user can access to usernamed folder and you have some softwares like Java, Ruby, Python, PHP, Perl – any of them installed, it is basically possible to do many things. Wheel Group system actually makes the administration easier.
Tagged With sudo restrict to one command , restrict sudo access , restrict sudo -i visudo , restrict sudo , restirct su root linux , restct sudo access in linux , linux allow user to restart tomcat sudoers , https://thecustomizewindows com/2014/03/restrict-sudo-users-running-specific-commands/ , how to restrict an exe as sudo only linux , user restrict