Re: [OT] sudo: restrict to physical console only?

To: debian-user@lists.debian.org
Subject: Re: [OT] sudo: restrict to physical console only?
From: Andy Smith <andy@strugglers.net>
Date: Tue, 4 Aug 2020 16:42:12 +0000
Message-id: <[🔎] 20200804164212.GM18995@bitfolk.com>
In-reply-to: <[🔎] 10c1aea2-ce0c-dfed-9e4b-88fa6890e7db@debianlists.mobilxpress.net>
References: <[🔎] 10c1aea2-ce0c-dfed-9e4b-88fa6890e7db@debianlists.mobilxpress.net>

Hi Marco,

On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote:
> Is it possible (how?) to restrict a user to only be allowed to make use of
> its sudo usage permission if working at the physical console, not granting
> to this user sudo permission when i.e. logged in via ssh?

I was intrigued by this question so I tried to find out how to do
it. I was unsuccessful and only got as far as:

    https://www.sudo.ws/pipermail/sudo-users/2009-April/004015.html

Probably the feature has not been added to sudo in the last 11 years
either.

Perhaps using pam_group.so you could force users on certain ttys
into a specific group, and allow that group (only) to use sudo?

    http://www.linux-pam.org/Linux-PAM-html/sag-pam_group.html

I've never done it but the above seems to imply that putting
something like:

     *;tty*;*;*;mysudogroup

into /etc/security/group.conf would put any user logging in on tty*
into the group "mysudogroup". If you allowed "mysudogroup" to use
sudo in /etc/sudoers then maybe that works.

I would be interested to know if that is a workable solution.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply to:

References:
- [OT] sudo: restrict to physical console only?
  - From: Marco Möller <talby@debianlists.mobilxpress.net>

Prev by Date: Re: PATH question
Next by Date: Re: [OT] sudo: restrict to physical console only?
Previous by thread: Re: [OT] sudo: restrict to physical console only?
Next by thread: Re: [OT] sudo: restrict to physical console only?
Index(es):
- Date
- Thread