Re: sudoers

To: debian-women@lists.debian.org
Subject: Re: sudoers
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 1 Oct 2013 08:58:09 -0700
Message-id: <[🔎] 20131001155809.GB23180@virgil.dodds.net>
Mail-followup-to: Steve Langasek <vorlon@debian.org>, debian-women@lists.debian.org
In-reply-to: <[🔎] CAPiMt1o1TpC_u_YJfpSydrTDJCXvN01i2riN+c0BmkwXZ602gA@mail.gmail.com>
References: <[🔎] 524AE6B6.6040706@gmail.com> <[🔎] CAPiMt1oJ2YmEG_wao5zw7C1fd_CDwLpCgNwyFwrh-ReS3uz-SA@mail.gmail.com> <[🔎] CAPiMt1o1TpC_u_YJfpSydrTDJCXvN01i2riN+c0BmkwXZ602gA@mail.gmail.com>

On Tue, Oct 01, 2013 at 12:30:42PM -0300, Judith Buseghin wrote:
> Sorry, I had an error in the script.

> Corrected script:

> #!bin/bash
> chmod 554 /etc/sudoers
> cp `echo $1` /etc/sudoers
> chmod 440 /etc/sudoers

I think you misunderstood the intent, which was to *prevent* a user from
editing /etc/sudoers to give themselves expanded rights.

And I think the answer is that you can only do this effectively if you grant
the user access to a finite whitelist of programs... no globs across
/usr/bin/* or the like.  There are too many editors and other programs that
will give a user arbitrary file I/O.

BTW, not sure why in your script above you are setting /etc/sudoers mode
554.  That's setting an executable bit on the file, which serves no purpose;
and makes it world-readable, which is not wanted.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

> 2013/10/1 Judith Buseghin <judibuse@gmail.com>
> 
> > You can create a script changesudoers.sh like that..
> >
> > #!bin/bash
> > chmod 554 /etc/sudoers
> > cp `echo $1` /etc/
> > chmod 440 /etc/sudoers
> >
> > edit newsudoers
> >
> > run a script..
> >
> > sudo changesudoers.sh newsudoers
> >
> >
> >
> >
> >
> > 2013/10/1 Germana Oliveira <germanaoliveirab@gmail.com>
> >
> >> Hi!
> >>
> >> I am using sudoers file to try to limit the things a user can do with
> >> sudo. The sudo is going to be use because this is a lab to tech
> >> informatics, so people probably need to know administrative tasks... but i
> >> want to avoid they change the root password and edit the sudoers file.
> >>
> >> So, i have this in sudoers:
> >>
> >> user1  ALL=/usr/bin/*, /usr/sbin/*, /bin/*, /sbin/*, !/usr/bin/passwd
> >> root, !/bin/su
> >>
> >> How can i void the user1 edit sudoers file??
> >>
> >> Thanks!
> >>
> >> --
> >> http://g0liv3ir4.wordpress.com
> >> twitter g0liv3ir4
> >> identi.ca goliveira
> >>
> >>
> >> --
> >> To UNSUBSCRIBE, email to debian-women-request@lists.**debian.org<debian-women-request@lists.debian.org>
> >> with a subject of "unsubscribe". Trouble? Contact
> >> listmaster@lists.debian.org
> >> Archive: [🔎] 524AE6B6.6040706@gmail.com">http://lists.debian.org/**[🔎] 524AE6B6.6040706@gmail.com<[🔎] 524AE6B6.6040706@gmail.com">http://lists.debian.org/[🔎] 524AE6B6.6040706@gmail.com>
> >>
> >>
> >

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: sudoers
  - From: Germana Oliveira <germanaoliveirab@gmail.com>

References:
- sudoers
  - From: Germana Oliveira <germanaoliveirab@gmail.com>
- Re: sudoers
  - From: Judith Buseghin <judibuse@gmail.com>
- Re: sudoers
  - From: Judith Buseghin <judibuse@gmail.com>

Prev by Date: Re: sudoers
Next by Date: Re: sudoers
Previous by thread: Re: sudoers
Next by thread: Re: sudoers
Index(es):
- Date
- Thread