Re: [OT] sudo: restrict to physical console only?
Reco wrote:
> Hi.
>
> On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco M?ller wrote:
> > Is it possible (how?) to restrict a user to only be allowed to make use of its sudo usage permission if working at the physical console, not granting to this
> > user sudo permission when i.e. logged in via ssh? To keep it simple, I could imagine to even have all sudo for all users deactivated automatically as soon as
> > a remote connection by ANY user is detected.
>
> Yes. It's an unusual (some may say - dangerous) thing that you're
> asking, so prepare to the unusual side effects.
>
> --- a/etc/pam.d/sudo 2020-08-04 18:40:26.528699633 +0000
> +++ b/etc/pam.d/sudo 2020-08-04 18:40:26.296579395 +0000
> @@ -1,5 +1,6 @@
> #%PAM-1.0
>
> @include common-auth
> +auth required pam_succeed_if.so tty =~ /dev/tty*
> @include common-account
> @include common-session-noninteractive
>
>
> I'm assuming that by "physical console" you mean that lovely
> conventional virtual terminal kernel facility (i.e. that funny letters
> that appear on your screen then you press Ctrl+Alt+F2). Be warned that
> in the current form it *will* break sudo for anyone, root included, for
> any process which "tty" attribute does not match /dev/tty*, be it ssh,
> screen, tmux, and (possibly) X/Wayland sessions.
> Worked for me in the case of real servers, just in case.
It should also match for serial connections, including modem users,
should you have any of such. And USB serial terminals.
-dsr-
Reply to: