Re: Configure sudo
And hi again,
as listed below I'm using 'mail_always' in my sudoers list. Also I will receive all commands executed using sudo by mail.
servername : May 27 12:59:20 : sudotest : TTY=pts/1 ; PWD=/home/sudotest ; USER=root ; COMMAND=/usr/local/bin/adm.sh install apache2
Unfortunately I'm not able to say which User has originated the command as the User is always 'root'.
Is there any way to get the real users name?
Thanks.
Am 27.05.2012 um 12:54 schrieb Denis Witt <denis.witt@concepts-and-training.de>:
> Hi again,
>
> I came up with this now:
>
> cat /usr/local/bin/adm.sh
>
> ---------------------------------------------------------------------------------
>
> #!/bin/bash
>
> case $1 in
> install)
> echo "Install $2"
> apt-get install $2
> exit 0
> ;;
> restart)
> echo "Restart service $2"
> /etc/init.d/$2 restart
> exit 0
> ;;
> reconfigure)
> echo "Reconfigure $2"
> dpkg-reconfigure $2
> exit 0
> ;;
> chmod)
> echo "Change file rights $2 $3"
> chmod $2 $3
> exit 0
> ;;
> chown)
> echo "Change ownership $2 $3"
> chown $2 $3
> exit 0
> ;;
> *)
> echo "Usage:
> Use sudo when using this script (Example: sudo ./adm.sh install apache2).
>
> Using this script you can execute the following commands as root-user via sudo:
>
> install : Install new packages via apt-get
> Executes 'apt-get install \$2'
> restart : Restart a service
> Executes '/etc/init.d/\$2 restart'
> reconfigure: Reconfigure packages using dpkg-reconfigure
> Executes 'dpkg-reconfigure \$2'
> chmod : Change file access rights
> Executes 'chmod \$2 \$3'
> chown : Change file ownership
> Executes 'chown \$2 \$3'
>
> If you need some additional commands don't hesitate
> to contact: root@localhost
> "
> exit 1
> ;;
> esac
>
> ---------------------------------------------------------------------------------
>
> My /etc/sudoers list looks like this:
>
> ---------------------------------------------------------------------------------
>
> Defaults env_reset
> Defaults mailto="root@cat06.de"
> Defaults mail_always
>
> # User privilege specification
> root ALL=(ALL) ALL
>
> %sudo ALL=/usr/local/bin/adm.sh
>
> ---------------------------------------------------------------------------------
>
> For additional security I used 'chattr +i /etc/sudoers'. As soon as a new user is added to the 'sudo'-Group he is able to use the adm.sh command and the commands listed in it. He can't see or edit this script. Also he can't change the file access rights to /etc/sudoers even if he is using the script. For other files he can change access rights and groups which is very useful if more than one user is writing certain files and may create new files using the wrong settings here.
>
> All other commands listed in my first post to the list were set to be used without root credentials.
>
> So it seems like a very nice solution to my question, much better than some kind of jail (which could be combined with the script above, of course). Thanks to anyone who replied to my original post.
>
> Best regards
> Denis
>
> Am 25.05.2012 um 10:13 schrieb Denis Witt <denis.witt@concepts-and-training.de>:
>
>> Hi List,
>>
>> we're running a server for a german bank. Of course we want to keep our services secure. A partner of us has to install a web based service (php, python and sql) on this machine. This partner will also be in charge in support and maintenance of this software.
>>
>> So he needs access to the server, sftp isn't enough. There may be changes in the web server php.ini necessary from time to time. The web server needs some restarting, etc. Files must be edited and so on.
>>
>> sudo might be a fine solution, but sudo is way too mighty in it's defaults. I know that you can allow and disallow certain commands only.
>>
>> sudo su must be disabled of course, also /etc/sudoers must be write protected, even for root. This is no problem if you use chattr +i /etc/sudoers.
>>
>> But i think enable all commands and disallow some, line su and all known shells ;), isn't a good way to go. I would like to disallow all commands by default but allow some of them:
>>
>> * restarting of web server
>> * editing of php.ini
>> * file transfer (ftp-ssl, sftp, http, etc.)
>> * chmod/chown (some files only)
>> * git, svn, rcs
>> * some editors
>> * apt-get install but not remove
>> * dpkg-reconfigure
>>
>> What else?
>>
>> When i did some tests with sudoers i wasn't able to disallow certain commands with parameters like:
>>
>> passwd root
>>
>> The only way was to disable passwd at all, which isn't nice. Is there another way to allow some parameters for certain commands?
>>
>> Thanks!
>>
>> Best regards
>> Denis
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Archive: [🔎] 80E5D5CC-AE42-43E8-9125-D9C790B82970@concepts-and-training.de">http://lists.debian.org/[🔎] 80E5D5CC-AE42-43E8-9125-D9C790B82970@concepts-and-training.de
>>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 5408AEF9-65EA-4E55-B8B7-7AECAA2AB5BC@concepts-and-training.de">http://lists.debian.org/[🔎] 5408AEF9-65EA-4E55-B8B7-7AECAA2AB5BC@concepts-and-training.de
>
Reply to: