Security :: Sudo To Disallow Certain Commands?
Jan 10, 2011
trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh. Is there a way to allow users to run anything they want except shells. I realise this is a default permit which inherently is defective, but I'm not convinced that going through the 1559 executable commands of my (as yet incomplete) built system to decided on the likely 1000+ commands I would want to be genuinely allowed. As I said this is for system administrators first, and I'd like to forcibly instil the habit of sudo <command> or using rootsh to get an audited shell. But I know people are already not doing enough sudo <command> as it stands, rather they switch to bash.
View 7 Replies
ADVERTISEMENT
May 4, 2010
I'm using Ubuntu x64 (dunno which version, but I don't think it matters) and I'm concerned about security with PHP.I remember using lighttpd and I had some mystic configuration and the secuirty was perfect for me - if one website gets hacked then the others are still safe (kinda).Now with apache2 if I enable safemode I'm still able to go outside web directory and actually I can go really far untill user/group matches.I tested the system with r57shell and I was able to mess up other websites.Is there a way to disallow access to other websites?
View 5 Replies
View Related
Jun 23, 2011
I am stuck in a weird situation and could definitely use some help from gurus in security area.
I have categorized my users into 3:
1. root user
2. other local users
3. LDAP users
I want to setup following 2 usecases:
a)
1. Allow keybased ssh and scp to root users
2. Allow ssh but disallow scp service to other local users
3. Disallow ssh and scp to LDAP users
b)
1. Allow keybased ssh and scp to root users
2. Disallow both ssh and scp to other local users
3. Disallow ssh but allow scp to LDAP users
For the 1. in both cases, I think PermitRootLogin in sshd_config could . For the 3. I am thinking of deploying rssh to control scp service access, since ssh will be restricted anyways.
Problem area is 2. primarily.
i) How to allow ssh but disallow scp to 'other local users'
ii) How to disallow both ssh and scp to 'other local users'
View 5 Replies
View Related
Nov 13, 2010
I have a system, I want only my sudoer account to show and automount NTFS partitions under 'Places' in Ubuntu. Simply, they shall not have access to mount it. Only my main sudoer user account shall take advantage on this show-and-possibly-automount feature of GNOME, but not anyone else.
View 6 Replies
View Related
Sep 16, 2010
A day ago I finally got around to upgrading the PackageKit installation that had been sitting for a week and a half, so I found a new upgrade for sudo available - the one that gives the sudoreplay command, I forget which version number it is exactly. When I try to use the sudo command I get this notice in my terminal:Code:Can't open /var/db/sudo/me/1: Permission deniedI didn't get it before. What do I have to do to make it open? I'm using SELinux in enforcing mode if that helps.
View 1 Replies
View Related
Mar 20, 2010
I was following a guide to stop Ubuntu from always asking the root password. And apparently i messed something up in vsudo edit or something like that i was in... So now when i put in a sudo command i get this...
Quote:
>>> /etc/sudoers: syntax error near line 18 <<<
sudo: parse error in /etc/sudoers near line 18
sudo: no valid sudoers sources found, quitting
so i cant even get back to undo what i edited.
View 8 Replies
View Related
May 23, 2011
I am unable to use sudo and su - commands. check my output below:
Code:
ubuntu@user1:~$ su -
Segmentation fault
ubuntu@user1:~$ sudo visudo
bash: /usr/bin/sudo: Permission denied
[code].....
View 9 Replies
View Related
Feb 16, 2010
Having a problem with sudo. I'm down as a user who can run all commands as root provided I enter my password. The relevant line from my /etc/sudoers file :
Code:
user1 ALL=(ALL) ALL
There are several commands that I run quite frequently such as mount and fdisk but would like to avoid having to enter a password each time I use them. What would be the appropriate change to the sudoers file ?
UPDATE: I neglected to scroll down to the bottom of the /etc/sudoers file where there was the line :
Code:
%admin ALL=(ALL) ALL
and since user1 was a member of the admin group any predeeding lines were being overidden by this. Commenting out this line and adding
Code:
user1 ALL= NOPASSWD: /bin/mount, /sbin/fdisk
View 1 Replies
View Related
Aug 2, 2010
is there a way to edit which commands require a sudo? or some programs, like the CPU frequency monitor on panel, requires a password to change. where would i start if i want to change this?
View 2 Replies
View Related
Nov 7, 2010
does anyone know how to set restrictions on the commands a user can run as sudo? i want to make it so they can only halt the system.
View 1 Replies
View Related
Aug 28, 2010
I am a Mac/ Windows user, forced to use Linux for my college work. I do not know where to enter commands like $ sudo /usr/etc/eth0 mvntz -do4i or how to make them work
I had a problem - the Wi-fi card in my laptop was not working. All the forums were useless. They wanted me to READ about wireless networking !
Finally a good friend solved the problem in a simple way : it appears Ubuntu has not installed the drivers for my Broadcom wireless card since it was not open source. I had to download it myself. Here is how : Go to System menu on the top bar. Choose administration/ hardware devices. Tell it to activate the device. It will download the drivers through the cable attached to DSL modem and install.
Then clicked the network icon, selected edit connections, and entered my wireless network name and password. This solved all problems.
Why doesn't Linux give me a warning that the driver for something is not yet installed ? When I was struggling with the network setup wizard for the whole day, there was no clue about the missing driver.
View 6 Replies
View Related
Apr 30, 2010
Customer asked me to create a menu for linux he also asked me to do this: Open like a command like where a user can execute commands...so for this the users have sudo enabled. The code below works OK. But it has an issue when a command is executed but the command does not need sudo
Like for instance
Code:
cd /
sudo: cd: command not found
How can I allow a user to execute all commands when a command does not need sudo
Code:
echo -e "Press Control+C to finish"
#echo -e " "
while true;
do
read whichcmd?"Insert Command: "
sudo $whichcmd
done
View 3 Replies
View Related
Feb 22, 2011
In order to allow me to shutdown my PC from within fluxbox without being root I ran "visudo" and added the following line:
Code:
psionl0 ALL=(ALL) NOPASSWD: ALL
A check that the line had been accepted showed all ok:
Code:
bash-4.1$ sudo -l
User psionl0 may run the following commands on this host:
(ALL) NOPASSWD: ALL
Yet when I tested it out, I got nowhere:
Code:
bash-4.1$ sudo pkgtool
sudo: pkgtool: command not found
bash-4.1$ sudo shutdown -h now
sudo: shutdown: command not found
bash-4.1$
Have I done something wrong or isn't sudo meant to be used this way?
View 12 Replies
View Related
Jan 17, 2011
I did some digging on the sudo command and I do know the config file is /etc/sudoers Read the manual for sudoers and found out that I must use visudo to edit the file I read some of the examples at the bottom of the file and tried entering my own account in following the example. one of the commands I was trying to allow my account to perform without root login is the mount command So I tried adding this in (kreid8 /bin/mount ALL) I then saved & exited the file and logged out of root and tried sudo mount -t vfat /dev/sdc1 /media. I got an error saying I had to be root in order to do that But when I use the visudo -l option it shows that I have that privellege. Did I edit the file incorrectly?
View 6 Replies
View Related
May 29, 2010
I am new to fedora (been using debian based distro's for the longest time). With the new release I decided to give FC13 (The kde 64 bit spin) a try. I told it to wipe my entire hdd and encrypt the partitions. The partition manager made a few LVM partitions which I assume are encrypted.
The problem I am having is that if I attempt to use an application that would normally need root access to run, I am not prompted to enter my root password. Instead, I am required to logout and log back in as root. Is there a way to make it so that FC13 will prompt me to enter in my root password so I do not need to log in and out? Or is there something Different I should have done during the install process? Also, what is the terminal equivalent of "sudo" in fedora, or is it still sudo/KDEsudo
I also have not used SE Linux before. Do I need to manually enforce the permissions for my applications and generate my own profiles for it, or is that done automatically?
View 14 Replies
View Related
May 31, 2011
I have written a script to run commands on remote servers, it is working fine. But when I am running "sudo commands" on the remote servers, it asks for me password after prompting for ssh password. I am unable to automate this password prompt (which is just after ssh password prompt). This is the function I am using to provide passwords
Code:
pass ()
{
cd $DIR/"$dt1"_"$dt"
/usr/bin/perl << 'EOF'
use strict;
[code]....
I want the same function to be used , when it expects for sudo passwords for any of the below lines:
Code:
[sudo] password for vikas: orPassword: This is my "cmd" file passed in pass () function.
Code:
ssh -t -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no 192.168.1.100 "bash rcmds"
This is my script output
Quote:
[vikas@box1 ~]$ ./rscript.sh
++ rm -rf /home/vikas/May_31
++ mkdir -p /home/vikas/May_31
++ set +x
[code]....
how to automate the password prompt required for sudo commands.
View 8 Replies
View Related
Jul 11, 2011
I am learning linux commands. I just wanted to see what happens when I type
Code:
The screen became blank. Keyboard was not responding. I couldn't do a proper shutdown. I switched off computer by pulling out the plug. When I restarted, I heard a series of beeps (approximately 10 beeps). Then I was dropped to the grub prompt. The problem now is I can not type anything into the grub prompt, because the character 'c' is continously printed across the screen like this:
Code:
I couldn't stop the character 'c' from printing (I tried pressing Esc, Ctrl+C)
The solution is easy. I can reinstall grub from a livecd. Or even reinstalling the entire operating system wouldn't take more than 30 minutes. But I want to know:
1) What exactly happened to grub? What stage does this error belong to (1, 1.5 or 2)? What is the error number?
2) How can running "sudo kill -9 -1" affect grub?
View 5 Replies
View Related
Aug 16, 2010
since a recent upgrade to Mandriva 2010.1 I am not able to 'sudo' as administrator or when I use the 'root' password. I am the only user on this machine (Dell Inspiron 530S multi-booted with Window's Vista Home Premium, Ubuntu 10.4, and Mandriva 2010.1). I can get into the 'Manage Users' section of the control center by authenticating as 'root' but I can't access 'sudoers file' from command line.
View 4 Replies
View Related
Sep 10, 2010
I was wondering is there a way to bind say "F5" to the command sudo apt-get update so I can press one key to write this into the terminal?
View 1 Replies
View Related
May 24, 2011
I want to restrict some of my Operating System users running unwanted commands. I just want them to run specified commands only. How can i achieve this?
View 9 Replies
View Related
Mar 4, 2010
I need to launch a bash file in Linux from an unprivileged user session, file that will run bash commands as root. But I do not want to create an user with root privileges to do that also the process must be silent (no password asked).
How can I do this without adding a user in sudoers and without giving rights to all users to execute the commands from that bash file?
I have tried SUID option witch would had been good as functionality but I understand that SUID doesn't work for script bash files.
View 14 Replies
View Related
Mar 9, 2011
is there a way to monitor use of rm, cp and mv commands? (other than in history)... i would prefer if it were logged in /var/log directory with time and command (with its arguments).
View 5 Replies
View Related
Aug 11, 2010
I want to get a of log all the commands executed by the root user with the following details :
incoming ip
username (thru which su was executed)
time and date
all the commands executed as mentioned above.
Also if user has managed to login as root, he should not be able to disable / delete the above info. Can this info be collected at some other physical server ?
View 5 Replies
View Related
Dec 15, 2010
I've firewall machine customers connect on it then connect to one of another 3 machines as root through ssh key , is there any way to know which user connect to which machine and what command that he has executed without using script command ?
View 1 Replies
View Related
Feb 5, 2010
I read somewhere that 'sync' and 'who' commands in linux should be disabled. While i can understand that for the 'who' command, why so for 'sync'?
I can find sync and who as one of shell commands, whereas also in /bin/sync and /usr/bin/who. Are the shell commands and those in bin directory meant to serve the same purpose?
Finally, how can i disable these commands?
View 4 Replies
View Related
Jan 5, 2010
Like many (most?) home users, until now I've had my regular userid in sudoers as "ALL = (ALL) ALL". It occurs to me that, even though my machine has no open ports, this is probably not a good idea - just in case my firewall suddenly burns down. So, if my thinking is right on this, I'm wondering if there is a generally approved list of Cmnd_Alias entries? At this point, I've decided to only add entries as I use them, and to try to honestly appraise my need to do the entry as sudo, vs opening a virtual console as root. My root password is non-trivial.
View 3 Replies
View Related
Apr 5, 2011
Consider: [URL]
In security terms, would using sudo instead of root be safer? I'd actually prefer to use this if so; I like sudo an awful lot. (It's Mark Shuttleworth's fault)
View 10 Replies
View Related
May 9, 2011
I have a RHEL 5.5 system set up with two users in the sudoers file to run certain commands without a password prompt.I do not have "Defaults requiretty" in the sudoers file.However, for both users, when I issue: sudo -l, it prompts for a password and logs in /var/log/secure:sudo: userx: no tty present and no askpass program specified
View 2 Replies
View Related
Jan 26, 2011
We have a couple of clusters that are running Oracle. If you're familiar with Oracle you know that it basically has to be installed as root. Something I detest. anyway, when we are building out the box, we change the root pw and give it to the DBA team to do their installs and configs. When they are done, we change the root pw (and do not give it to them), and configure sudo to allow them the rights needed to manage Oracle and their databases.
Now however, we have a different situation. The DBAs need access to uninstall and reinstall components and make modifications on an ongoing basis. Since we only support OS and hardware, not app, they are requesting permanent root access. I promptly told them no, and the politics ensued. Their manager went to their director, who went to my director, and suddenly an exception is given for his good golfing buddy. So here I am, forced to turn lose DBAs on my clusters with full root access/pw. I need a way to allow specific users (or perhaps a specific user group) the ability to become root WITHOUT sharing the root pw with them.
View 3 Replies
View Related
Mar 3, 2010
I need to launch a bash file in Linux from an unprivileged user session, file that will run bash commands as root. But I do not want to create an user with root privileges to do that.
View 10 Replies
View Related
