On Tue, Oct 01, 2013 at 11:37:24AM -0430, Germana Oliveira wrote: > Thanks! Steve and Judith... > as i understand, steve, you mean i should (for example) give > permission to only use of vim or gedit; so i can prohibit the user > to do vim /etc/sudoers or gedit /etc/sudoers ? If you want to prevent a user from using sudo to edit a particular file, you must not give them access to any general-purpose editor. Both vim and gedit allow the user to open any file *after* the program has been launched, so restricting the allowed commandlines is not sufficient to prevent them from editing /etc/sudoers. Also, there are *lots* of other files on the system that they could edit in order to gain root. They could edit /etc/passwd to change their uid; they could edit /etc/shadow to set the root password to something they know; they could edit /etc/pam.d/ssh to give themselves a root login that bypasses authentication. If you let the user sudo to any command that lets them edit files directly as root, they are root on your system and can do anything. So we've established what you want the user to *not* be able to do: you want them to not edit /etc/sudoers. But what are the things that you *do* want to allow them to do? It might be better to approach from the other direction, and identify those specific things the user should be allowed, working through how to allow each of those securely. Alternatively, you could run your system using SELinux, so that root isn't really root. ;) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org > El 01/10/13 11:28, Steve Langasek escribió: > >On Tue, Oct 01, 2013 at 12:30:42PM -0300, Judith Buseghin wrote: > >>Sorry, I had an error in the script. > >>Corrected script: > >>#!bin/bash > >>chmod 554 /etc/sudoers > >>cp `echo $1` /etc/sudoers > >>chmod 440 /etc/sudoers > >I think you misunderstood the intent, which was to *prevent* a user from > >editing /etc/sudoers to give themselves expanded rights. > > > >And I think the answer is that you can only do this effectively if you grant > >the user access to a finite whitelist of programs... no globs across > >/usr/bin/* or the like. There are too many editors and other programs that > >will give a user arbitrary file I/O. > > > >BTW, not sure why in your script above you are setting /etc/sudoers mode > >554. That's setting an executable bit on the file, which serves no purpose; > >and makes it world-readable, which is not wanted. > > > >Cheers, > > > -- > http://g0liv3ir4.wordpress.com > twitter g0liv3ir4 > identi.ca goliveira > > > -- > To UNSUBSCRIBE, email to debian-women-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > Archive: [🔎] 524AF33C.80506@gmail.com">http://lists.debian.org/[🔎] 524AF33C.80506@gmail.com >
Attachment:
signature.asc
Description: Digital signature