On Tue, Oct 01, 2013 at 11:37:24AM -0430, Germana Oliveira wrote:
Thanks! Steve and Judith...
as i understand, steve, you mean i should (for example) give
permission to only use of vim or gedit; so i can prohibit the user
to do vim /etc/sudoers or gedit /etc/sudoers ?
If you want to prevent a user from using sudo to edit a particular file, you
must not give them access to any general-purpose editor. Both vim and gedit
allow the user to open any file *after* the program has been launched, so
restricting the allowed commandlines is not sufficient to prevent them from
editing /etc/sudoers.
Also, there are *lots* of other files on the system that they could edit in
order to gain root. They could edit /etc/passwd to change their uid; they
could edit /etc/shadow to set the root password to something they know; they
could edit /etc/pam.d/ssh to give themselves a root login that bypasses
authentication.
If you let the user sudo to any command that lets them edit files directly
as root, they are root on your system and can do anything.
So we've established what you want the user to *not* be able to do: you want
them to not edit /etc/sudoers. But what are the things that you *do* want
to allow them to do? It might be better to approach from the other
direction, and identify those specific things the user should be allowed,
working through how to allow each of those securely.
Alternatively, you could run your system using SELinux, so that root isn't
really root. ;)