Ttyjfyk

How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time

Can each chord in a progression create its own key?

Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time?

Student Loan from years ago pops up and is taking my salary

Do warforged have souls?

My body leaves; my core can stay

"is" operation returns false with ndarray.data attribute, even though two array objects have same id

different output for groups and groups USERNAME after adding a username to a group

How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?

Loose spokes after only a few rides

How do spell lists change if the party levels up without taking a long rest?

Store Dynamic-accessible hidden metadata in a cell

Example of compact Riemannian manifold with only one geodesic.

Does Parliament hold absolute power in the UK?

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Sort list of array linked objects by keys and values

Deal with toxic manager when you can't quit

Am I ethically obligated to go into work on an off day if the reason is sudden?

60's-70's movie: home appliances revolting against the owners

What information about me do stores get via my credit card?

Did the new image of black hole confirm the general theory of relativity?

Drawing vertical/oblique lines in Metrical tree (tikz-qtree, tipa)

Mortgage adviser recommends a longer term than necessary combined with overpayments

Simulating Exploding Dice

how to restrict users not to login to root by using sudo -i and sudo su - and other if exists [duplicate]

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

3

This question already has an answer here:

• 
  Preventing other users from viewing my files [closed]
  
  3 answers
  
  

I have tried to restrict user by editing sudoers file M ALL=!/bin/su. I am able to restrict sudo su - but not sudo -i.

sudo su not-root-user account-restrictions

share|improve this question

edited Jan 23 '18 at 11:49

roaima

46.2k758124

asked Jan 23 '18 at 11:03

mmk_indmmk_ind

1612

marked as duplicate by sourcejedi, Jeff Schaller♦, Rui F Ribeiro, jayhendren, G-Man Jan 24 '18 at 1:01

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
  
  – Guy
  Jan 23 '18 at 11:27
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run via sudo doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run via sudo doesn't have any holes such as using environment variables controlled by the user.
  
  – Andrew Henle
  Jan 23 '18 at 11:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I want to allow him in all other activities where as he has to run scripts but not to login as root.
  
  – mmk_ind
  Jan 23 '18 at 11:51
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
  
  – Rui F Ribeiro
  Jan 23 '18 at 11:53
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Trivial to get around ALL=!/bin/su. See: sudo su ## Permission denied but then ln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
  
  – roaima
  Jan 23 '18 at 12:02
  
  

  
  
  
  

 | 
show 1 more comment

3

This question already has an answer here:

• 
  Preventing other users from viewing my files [closed]
  
  3 answers
  
  

I have tried to restrict user by editing sudoers file M ALL=!/bin/su. I am able to restrict sudo su - but not sudo -i.

sudo su not-root-user account-restrictions

share|improve this question

edited Jan 23 '18 at 11:49

roaima

46.2k758124

asked Jan 23 '18 at 11:03

mmk_indmmk_ind

1612

marked as duplicate by sourcejedi, Jeff Schaller♦, Rui F Ribeiro, jayhendren, G-Man Jan 24 '18 at 1:01

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
  
  – Guy
  Jan 23 '18 at 11:27
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run via sudo doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run via sudo doesn't have any holes such as using environment variables controlled by the user.
  
  – Andrew Henle
  Jan 23 '18 at 11:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I want to allow him in all other activities where as he has to run scripts but not to login as root.
  
  – mmk_ind
  Jan 23 '18 at 11:51
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
  
  – Rui F Ribeiro
  Jan 23 '18 at 11:53
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Trivial to get around ALL=!/bin/su. See: sudo su ## Permission denied but then ln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
  
  – roaima
  Jan 23 '18 at 12:02
  
  

  
  
  
  

 | 
show 1 more comment

This question already has an answer here:

• 
  Preventing other users from viewing my files [closed]
  
  3 answers
  
  

I have tried to restrict user by editing sudoers file M ALL=!/bin/su. I am able to restrict sudo su - but not sudo -i.

sudo su not-root-user account-restrictions

share|improve this question

edited Jan 23 '18 at 11:49

roaima

46.2k758124

asked Jan 23 '18 at 11:03

mmk_indmmk_ind

1612

share|improve this question

edited Jan 23 '18 at 11:49

roaima

46.2k758124

asked Jan 23 '18 at 11:03

mmk_indmmk_ind

1612

share|improve this question

edited Jan 23 '18 at 11:49

roaima

46.2k758124

asked Jan 23 '18 at 11:03

mmk_indmmk_ind

1612

edited Jan 23 '18 at 11:49

roaima

46.2k758124

edited Jan 23 '18 at 11:49

roaima

46.2k758124

asked Jan 23 '18 at 11:03

mmk_indmmk_ind

1612

asked Jan 23 '18 at 11:03

mmk_indmmk_ind

1612

1 Answer
1

active

oldest

votes

1

For your original question, you will need to exclude /bin/bash (or whatever is defined as the user's shell in /etc/passwd), like so:

tomk ALL= ALL,!/bin/su,!/bin/bash

However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s or sudo -i, it will not really prevent him/her from getting an interactive shell as root.

From man sudoers:

Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.

share|improve this answer

answered Jan 23 '18 at 13:11

Tom KlinoTom Klino

410719

add a comment | 

1

For your original question, you will need to exclude /bin/bash (or whatever is defined as the user's shell in /etc/passwd), like so:

tomk ALL= ALL,!/bin/su,!/bin/bash

However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s or sudo -i, it will not really prevent him/her from getting an interactive shell as root.

From man sudoers:

Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.

share|improve this answer

answered Jan 23 '18 at 13:11

Tom KlinoTom Klino

410719

add a comment | 

1

For your original question, you will need to exclude /bin/bash (or whatever is defined as the user's shell in /etc/passwd), like so:

tomk ALL= ALL,!/bin/su,!/bin/bash

However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s or sudo -i, it will not really prevent him/her from getting an interactive shell as root.

From man sudoers:

Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.

share|improve this answer

answered Jan 23 '18 at 13:11

Tom KlinoTom Klino

410719

add a comment | 

For your original question, you will need to exclude /bin/bash (or whatever is defined as the user's shell in /etc/passwd), like so:

tomk ALL= ALL,!/bin/su,!/bin/bash

However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s or sudo -i, it will not really prevent him/her from getting an interactive shell as root.

From man sudoers:

Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:

bill ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.

share|improve this answer

answered Jan 23 '18 at 13:11

Tom KlinoTom Klino

410719

tomk ALL= ALL,!/bin/su,!/bin/bash

share|improve this answer

answered Jan 23 '18 at 13:11

Tom KlinoTom Klino

410719

answered Jan 23 '18 at 13:11

Tom KlinoTom Klino

410719

answered Jan 23 '18 at 13:11

Tom KlinoTom Klino

410719