Re: [OT] sudo: restrict to physical console only?
Hi.
On Tue, Aug 04, 2020 at 04:20:58PM -0400, Dan Ritter wrote:
> Reco wrote:
> > On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco M?ller wrote:
> > > Is it possible (how?) to restrict a user to only be allowed to make use of its sudo usage permission if working at the physical console, not granting to this
> > > user sudo permission when i.e. logged in via ssh? To keep it simple, I could imagine to even have all sudo for all users deactivated automatically as soon as
> > > a remote connection by ANY user is detected.
> >
> > Yes. It's an unusual (some may say - dangerous) thing that you're
> > asking, so prepare to the unusual side effects.
> >
> > --- a/etc/pam.d/sudo 2020-08-04 18:40:26.528699633 +0000
> > +++ b/etc/pam.d/sudo 2020-08-04 18:40:26.296579395 +0000
> > @@ -1,5 +1,6 @@
> > #%PAM-1.0
> >
> > @include common-auth
> > +auth required pam_succeed_if.so tty =~ /dev/tty*
> > @include common-account
> > @include common-session-noninteractive
> >
> >
> > I'm assuming that by "physical console" you mean that lovely
> > conventional virtual terminal kernel facility (i.e. that funny letters
> > that appear on your screen then you press Ctrl+Alt+F2). Be warned that
> > in the current form it *will* break sudo for anyone, root included, for
> > any process which "tty" attribute does not match /dev/tty*, be it ssh,
> > screen, tmux, and (possibly) X/Wayland sessions.
> > Worked for me in the case of real servers, just in case.
>
> It should also match for serial connections, including modem users,
> should you have any of such. And USB serial terminals.
I consider it a feature, not a deficiency. It cannot be called a server
unless it features a RS-232-based console connection typically assigned
to ttyS0, and locking myself out of it is not something that I'd do.
But, as they say, patches are welcome.
Reco
Reply to: