Security :: Take Away Ability Of Using Sudo For Common Users
Mar 9, 2011
I decided to consult you before making any changes, because the clients' PCs are spread all over the country and I do not have the physical access to their boxes.The idea is to take away the ability of using sudo for common users.I know that the syntax of this file may vary a bit in different distributions.Our OS is Ubuntu 10.10.I created the account 'support' for me and other technician stuff of our department. So, 'support' user must have all the power. And common users mustn't have access to 'sudo'. This is the requirement.As far as I remember, in Slackware the user must be a member of 'wheel' group to be able to use 'sudo' (but I may be wrong).
So, I am looking to implement an FTP server with Isolated Client accounts/directories where a client can only access what's in their directory. I also need to provide my internal user's (content managers) the ability to upload, delete, etc from all of the Client accounts. The simple part is creating the secure client accounts. It's a matter of changing DIR_MODE in adduser.conf to 700 or 770, creating a user, having the FTP server chroot them to their home directory, revoke/restrict shell/ssh access and maybe even slap on some ACL to prevent botched permissions.The hard part is figuring out how to give my power users the ability to access all of their folders without thrashing security.
My first thought was to put all of the client user-groups in a parent group and having my internal users inherit group permissions..but you can't have groups inside of groups.My second thought was to put all of the client users in the same group and prey that the FTP chroot is enough to keep them from poking around but then I have the problem of how do my internal users access other user directories if they are chrooted. Do I create a second server without chroot.do I create some weird nested homedir structure..I honestly have no idea how to satisfy both requirements (secure client accounts and privileged user accounts). I need my privileged users to authenticate against Active Directory via Likewise open, LDAP, etc and I don't care how the clients authenticate. Though, I would prefer to have both file and FTP-server level protection just to make sure no one can see the other client's data.
We are trying to set up a classroom training environment where our SIG can hold classes for prospective converts from Microsoft/Mac. The ten machines will have /home/student01..10 and /home/linsig01..10 as users. We want /home/student01 to be able to explore and sudo so they can learn to administer their personal machines at home. We don't want them to be able to modify (sudo) /home/linsig01. I've seen the tutorial on Access Control Lists but I'd like other input so we get it right the first time.
I've set up a user account for friends & colleagues that does NOT require a login password. Unfortunately, in this OS some things don't work unless you login -- sudo Must regular users have AND use Root's password?
A day ago I finally got around to upgrading the PackageKit installation that had been sitting for a week and a half, so I found a new upgrade for sudo available - the one that gives the sudoreplay command, I forget which version number it is exactly. When I try to use the sudo command I get this notice in my terminal:Code:Can't open /var/db/sudo/me/1: Permission deniedI didn't get it before. What do I have to do to make it open? I'm using SELinux in enforcing mode if that helps.
I've been reading a lot of articles on Xorg XWindow System having the ability to allow 6600/tcp for remote screen connections and I've been trying to find a way to remove the functionality without having to just dump XWindow and settle for CLI on my server. I heard it was disabled by default, but I just want to get rid of that ability completely by cutting it out of it's code and yes, I'm feeling very, very paranoid.
I know very little about MySQL, but I've got some users that need it for testing on a Linux server.So I had set it up a while back, but now I'm running into some small problems.Right now, each user has his own database that I created and can do whatever with it. Each user only sees their own database.I didn't want them to be able to create new databases at all, but they can and when they do anyone can see them.
EDIT(Apparently they can only create databases beginning with the word "test" in the name)
I need to either:
1) Stop them from creating new databases (without affecting their ability to interact with the existing database)
OR
2) Make it so that when they create a database, only they have privileges on it and only they can see it (except mysql root of course).
Anybody know the statement to set these kinds privileges up?
EDIT: pfft... I've a read a bit more and realize that this is an intended part of the installation.
EDIT2
I'd still like to remove the ability to make test databases.
EDIT3:Ok, for reference this is how you prevent users from making and using test databases:
shell> mysql -u root -p Enter password: (enter root password here) mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%'; mysql> FLUSH PRIVILEGES;
A create an application which has to bind to port less than 1024 and must be launched under non-root user. OS: Ubuntu 10.04. Decision 1: Using a firewall to redirect packets. Problem: This decision is not good for me. I need simple way to solve the problem. Decision 2: Use CAP_NET_BIN_SERVICE. Problem: My execution file has 2,7G size. It is very big application with a lot of debug info. setcat command return an error:
Does anyone know any common apache 2.2 exploits and how to stop them? I am setting up a web server and want it to be secure as possible. I currently have a basic lamp server on a ubuntu server.
I am new to fedora (been using debian based distro's for the longest time). With the new release I decided to give FC13 (The kde 64 bit spin) a try. I told it to wipe my entire hdd and encrypt the partitions. The partition manager made a few LVM partitions which I assume are encrypted.
The problem I am having is that if I attempt to use an application that would normally need root access to run, I am not prompted to enter my root password. Instead, I am required to logout and log back in as root. Is there a way to make it so that FC13 will prompt me to enter in my root password so I do not need to log in and out? Or is there something Different I should have done during the install process? Also, what is the terminal equivalent of "sudo" in fedora, or is it still sudo/KDEsudo
I also have not used SE Linux before. Do I need to manually enforce the permissions for my applications and generate my own profiles for it, or is that done automatically?
I have installed php 5.3.6-4 on centOS 5.6. When i try to install some modules of php then it gives an error
php53-common-5.3.3-1.el5_6.1.i386 from updates has depsolving problems --> php53-common conflicts with php-common Error: php53-common conflicts with php-common
[code]....
I have reinstall it twice but each time i get same error.
I was adding me and my bud to a new group I created, but I used -G instead of -g as the tutorial suggested, I think this removed me from all other groups and put me in the new one. The same with my bud. Now I dont have sudo privileges, nor does my bud, and we have not set a password for the root account.
Code: sudo ls -l USER@SERVER:/var$ sudo password for USER: USER is not in the sudoers file. this incident will be reported. USER@SERVER:/var$
Is there a way to allow users from a remote account (say, those connecting to the X server from a remote location) to sudo? What kind of account do you need to add to /etc/sudoers to be able to allow this to happen?
i would like to prevent all users other than the user "parker" on my system from using the su or sudo commands. I have not attempted to modify the sudoers file so it just contains the standard root ALL = (ALL) ALL.
As per subject, what's the best way to run a CRON job for something that "normal" users need to run as SUDO? There is a problem with the internal clock on my PC so at a regular time (every hour or day for example) I want to sync with my Network Time server. I use "sudo ntpdate time.bgr.local" as it is now and have to enter my user's password for it to work.I know root is disabled by default and would like to keep it that way if possible but if I have to enable it and then add it to root's cron list the so be it but would prefer not to.
i want to create a sudo user, sudo user should not start or stop the service. as like a normal user i created a user called root2 and i edited the user with visudo command and added the below line to the user root2 and got the full privilages.
root2 ALL=(ALL) ALL
i commented the below line ##Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig eventhough the sudo user root2 can start and stop the service which i dont want to give that privilage.
I was trying to list sudo users in a Linux Machine,
[root@redhat ~]# grep -v -E '^#' /etc/sudoers root ALL=(ALL) ALL %work ALL=(ALL) ALL %dilipvp ALL=(ALL) ALL
where work is a group and dilipvp is user. Can you help me in creating a better script which can list the members of the group work as well. and why I am getting empty space in between.
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
I have an environment with multiple projects that have a variety of government and commercial sponsors. We have been satisfied to this point with a netapp serving nfs/cifs and keeping a tight reign on nfs exports.Some of these projects have started asking us to provide access restricted sub-folders of the project space based on different groups that contain a user subset of the primary group.
We have a linux machine that serves as a version control front end to the netapp, mounting the project spaces via nfs. People are now mounting their project space via sshfs to this "front end" and sharing the root password of this sshfs client with everyone in their project, in turn creating a security hole to access the so called restricted sub-folders. I know all the obligatory responses referring to irresponsible user behavior but would like to see how others have addressed something like this where user behavior seems out of control.
I've installed rubygems on ubuntu, but it has a known issue that the rubygems' bin/ directory is not in the PATH. I know about exporting the PATH variable, and adding it to .bashrc, but I'd like to configure it so that every user has it on his PATH, even if he tries to run it with sudo. Where should I export the PATH variable then?
Like many (most?) home users, until now I've had my regular userid in sudoers as "ALL = (ALL) ALL". It occurs to me that, even though my machine has no open ports, this is probably not a good idea - just in case my firewall suddenly burns down. So, if my thinking is right on this, I'm wondering if there is a generally approved list of Cmnd_Alias entries? At this point, I've decided to only add entries as I use them, and to try to honestly appraise my need to do the entry as sudo, vs opening a virtual console as root. My root password is non-trivial.
In security terms, would using sudo instead of root be safer? I'd actually prefer to use this if so; I like sudo an awful lot. (It's Mark Shuttleworth's fault)
I have a RHEL 5.5 system set up with two users in the sudoers file to run certain commands without a password prompt.I do not have "Defaults requiretty" in the sudoers file.However, for both users, when I issue: sudo -l, it prompts for a password and logs in /var/log/secure:sudo: userx: no tty present and no askpass program specified
trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh. Is there a way to allow users to run anything they want except shells. I realise this is a default permit which inherently is defective, but I'm not convinced that going through the 1559 executable commands of my (as yet incomplete) built system to decided on the likely 1000+ commands I would want to be genuinely allowed. As I said this is for system administrators first, and I'd like to forcibly instil the habit of sudo <command> or using rootsh to get an audited shell. But I know people are already not doing enough sudo <command> as it stands, rather they switch to bash.