On Tue, Oct 01, 2013 at 12:30:42PM -0300, Judith Buseghin wrote: > Sorry, I had an error in the script. > Corrected script: > #!bin/bash > chmod 554 /etc/sudoers > cp `echo $1` /etc/sudoers > chmod 440 /etc/sudoers I think you misunderstood the intent, which was to *prevent* a user from editing /etc/sudoers to give themselves expanded rights. And I think the answer is that you can only do this effectively if you grant the user access to a finite whitelist of programs... no globs across /usr/bin/* or the like. There are too many editors and other programs that will give a user arbitrary file I/O. BTW, not sure why in your script above you are setting /etc/sudoers mode 554. That's setting an executable bit on the file, which serves no purpose; and makes it world-readable, which is not wanted. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org > 2013/10/1 Judith Buseghin <judibuse@gmail.com> > > > You can create a script changesudoers.sh like that.. > > > > #!bin/bash > > chmod 554 /etc/sudoers > > cp `echo $1` /etc/ > > chmod 440 /etc/sudoers > > > > edit newsudoers > > > > run a script.. > > > > sudo changesudoers.sh newsudoers > > > > > > > > > > > > 2013/10/1 Germana Oliveira <germanaoliveirab@gmail.com> > > > >> Hi! > >> > >> I am using sudoers file to try to limit the things a user can do with > >> sudo. The sudo is going to be use because this is a lab to tech > >> informatics, so people probably need to know administrative tasks... but i > >> want to avoid they change the root password and edit the sudoers file. > >> > >> So, i have this in sudoers: > >> > >> user1 ALL=/usr/bin/*, /usr/sbin/*, /bin/*, /sbin/*, !/usr/bin/passwd > >> root, !/bin/su > >> > >> How can i void the user1 edit sudoers file?? > >> > >> Thanks! > >> > >> -- > >> http://g0liv3ir4.wordpress.com > >> twitter g0liv3ir4 > >> identi.ca goliveira > >> > >> > >> -- > >> To UNSUBSCRIBE, email to debian-women-request@lists.**debian.org<debian-women-request@lists.debian.org> > >> with a subject of "unsubscribe". Trouble? Contact > >> listmaster@lists.debian.org > >> Archive: [🔎] 524AE6B6.6040706@gmail.com">http://lists.debian.org/**[🔎] 524AE6B6.6040706@gmail.com<[🔎] 524AE6B6.6040706@gmail.com">http://lists.debian.org/[🔎] 524AE6B6.6040706@gmail.com> > >> > >> > >
Attachment:
signature.asc
Description: Digital signature