M HYPE SPLASH
// updates

Disable sudo user to edit sudoers file

By Emma Terry

I want to disable a user to edit sudoers file, so I added a line in sudoers file:

Cmnd_Alias BLOCK = !/usr/sbin/visudo, !/bin/nano /etc/sudoers

it blocks if a user tries to edit like this:

 sudo nano /etc/sudoers

but when he's enter to etc:

cd /etc
sudo nano sudoers

... he can use nano, and edit sudoers.

how can i solve this? thanks

2

2 Answers

From my standpoint... if you don't want a user to be changing things as sudo, you should NOT be granting sudo access in the first place. This is for the same reason you don't give your bank account information to Nigerian prince scammers - if they have your information (or access) they will have access beyond what you probably want to grant the individual.

Giving sudo access in a way that lets them use any command except some commands ("blacklisting" commands) is MUCH harder to implement, and in fact the sudo and sudoers mechanisms are not really built to do this kind of blacklisting in a safe way.

Conversely, giving this hypothetical user sudo access for only some commands (and not all commands), by specifically specifying the things they can execute as sudo on the sudoers line, is the proper way to really do this type of restrictions with sudo ("whitelisting" commands instead of blacklisting them)

This said, if you REALLY want to go this route, then...

In the second method, he's not using the full path. The command blocks you've initiated here deny access when the command and arguments are identical matches. The utilities are unfortunately stupid and don't actually equate arguments passed in as fully qualified on-disk paths and need to be exact matches to what's being executed.

Add to the list such that you get this:

Cmnd_Alias BLOCK = !/usr/sbin/visudo, !/bin/nano /etc/sudoers, !/bin/nano sudoers

... however there are a trillion ways to circumvent this, so you really should be whitelisting access to commands rather than blacklisting commands that sudoers are not supposed to use.

7

I usually use the following:

username ALL=ALL, !/usr/bin/su *,!/usr/bin/sudo *, !/usr/sbin/visudo, !/usr/bin/* *sudoers

Not sure if I missed out anything. Definitely not fool proof, but the best that I can come out with so far :)

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

More in updates

How do I see what I am currently subscribed to?

Wes Anderson in the Land of Dahl