how to restrict users not to login to root by using sudo -i and sudo su - and other if exists [duplicate] The 2019 Stack Overflow Developer Survey Results Are In Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar Manara 2019 Community Moderator Election ResultsPreventing other users from viewing my filesRestrict certain command optionsHow to restrict some commands for admin in Linux(CentOS)How to add a user to sudoers file?How do I restart apache as non-root (using a git-hook)?Can edit file as root, but not using sudoAllow a user to view the home directory of other users via sudoHow to stop regular users from Switching UsersWhat is the best way to add a user to the sudoer group?Difference between sudo user and root useradding a sudoer in debiansudo does not work with database stored usersDoes sudo restrict on which users can acquire superuser privileges?
How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time
Can each chord in a progression create its own key?
Can the Right Ascension and Argument of Perigee of a spacecraft's orbit keep varying by themselves with time?
Student Loan from years ago pops up and is taking my salary
Do warforged have souls?
My body leaves; my core can stay
"is" operation returns false with ndarray.data attribute, even though two array objects have same id
different output for groups and groups USERNAME after adding a username to a group
How did the audience guess the pentatonic scale in Bobby McFerrin's presentation?
Loose spokes after only a few rides
How do spell lists change if the party levels up without taking a long rest?
Store Dynamic-accessible hidden metadata in a cell
Example of compact Riemannian manifold with only one geodesic.
Does Parliament hold absolute power in the UK?
ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?
Sort list of array linked objects by keys and values
Deal with toxic manager when you can't quit
Am I ethically obligated to go into work on an off day if the reason is sudden?
60's-70's movie: home appliances revolting against the owners
What information about me do stores get via my credit card?
Did the new image of black hole confirm the general theory of relativity?
Drawing vertical/oblique lines in Metrical tree (tikz-qtree, tipa)
Mortgage adviser recommends a longer term than necessary combined with overpayments
Simulating Exploding Dice
how to restrict users not to login to root by using sudo -i and sudo su - and other if exists [duplicate]
The 2019 Stack Overflow Developer Survey Results Are In
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
2019 Community Moderator Election ResultsPreventing other users from viewing my filesRestrict certain command optionsHow to restrict some commands for admin in Linux(CentOS)How to add a user to sudoers file?How do I restart apache as non-root (using a git-hook)?Can edit file as root, but not using sudoAllow a user to view the home directory of other users via sudoHow to stop regular users from Switching UsersWhat is the best way to add a user to the sudoer group?Difference between sudo user and root useradding a sudoer in debiansudo does not work with database stored usersDoes sudo restrict on which users can acquire superuser privileges?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
This question already has an answer here:
Preventing other users from viewing my files [closed]
3 answers
I have tried to restrict user by editing sudoers
file M ALL=!/bin/su
. I am able to restrict sudo su -
but not sudo -i
.
sudo su not-root-user account-restrictions
marked as duplicate by sourcejedi, Jeff Schaller♦, Rui F Ribeiro, jayhendren, G-Man Jan 24 '18 at 1:01
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
|
show 1 more comment
This question already has an answer here:
Preventing other users from viewing my files [closed]
3 answers
I have tried to restrict user by editing sudoers
file M ALL=!/bin/su
. I am able to restrict sudo su -
but not sudo -i
.
sudo su not-root-user account-restrictions
marked as duplicate by sourcejedi, Jeff Schaller♦, Rui F Ribeiro, jayhendren, G-Man Jan 24 '18 at 1:01
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
2
A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
– Guy
Jan 23 '18 at 11:27
If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run viasudo
doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run viasudo
doesn't have any holes such as using environment variables controlled by the user.
– Andrew Henle
Jan 23 '18 at 11:32
I want to allow him in all other activities where as he has to run scripts but not to login as root.
– mmk_ind
Jan 23 '18 at 11:51
3
A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
– Rui F Ribeiro
Jan 23 '18 at 11:53
Trivial to get aroundALL=!/bin/su
. See:sudo su ## Permission denied
but thenln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
– roaima
Jan 23 '18 at 12:02
|
show 1 more comment
This question already has an answer here:
Preventing other users from viewing my files [closed]
3 answers
I have tried to restrict user by editing sudoers
file M ALL=!/bin/su
. I am able to restrict sudo su -
but not sudo -i
.
sudo su not-root-user account-restrictions
This question already has an answer here:
Preventing other users from viewing my files [closed]
3 answers
I have tried to restrict user by editing sudoers
file M ALL=!/bin/su
. I am able to restrict sudo su -
but not sudo -i
.
This question already has an answer here:
Preventing other users from viewing my files [closed]
3 answers
sudo su not-root-user account-restrictions
sudo su not-root-user account-restrictions
edited Jan 23 '18 at 11:49
roaima
46.2k758124
46.2k758124
asked Jan 23 '18 at 11:03
mmk_indmmk_ind
1612
1612
marked as duplicate by sourcejedi, Jeff Schaller♦, Rui F Ribeiro, jayhendren, G-Man Jan 24 '18 at 1:01
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by sourcejedi, Jeff Schaller♦, Rui F Ribeiro, jayhendren, G-Man Jan 24 '18 at 1:01
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
2
A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
– Guy
Jan 23 '18 at 11:27
If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run viasudo
doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run viasudo
doesn't have any holes such as using environment variables controlled by the user.
– Andrew Henle
Jan 23 '18 at 11:32
I want to allow him in all other activities where as he has to run scripts but not to login as root.
– mmk_ind
Jan 23 '18 at 11:51
3
A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
– Rui F Ribeiro
Jan 23 '18 at 11:53
Trivial to get aroundALL=!/bin/su
. See:sudo su ## Permission denied
but thenln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
– roaima
Jan 23 '18 at 12:02
|
show 1 more comment
2
A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
– Guy
Jan 23 '18 at 11:27
If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run viasudo
doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run viasudo
doesn't have any holes such as using environment variables controlled by the user.
– Andrew Henle
Jan 23 '18 at 11:32
I want to allow him in all other activities where as he has to run scripts but not to login as root.
– mmk_ind
Jan 23 '18 at 11:51
3
A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
– Rui F Ribeiro
Jan 23 '18 at 11:53
Trivial to get aroundALL=!/bin/su
. See:sudo su ## Permission denied
but thenln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
– roaima
Jan 23 '18 at 12:02
2
2
A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
– Guy
Jan 23 '18 at 11:27
A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
– Guy
Jan 23 '18 at 11:27
If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run via
sudo
doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run via sudo
doesn't have any holes such as using environment variables controlled by the user.– Andrew Henle
Jan 23 '18 at 11:32
If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run via
sudo
doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run via sudo
doesn't have any holes such as using environment variables controlled by the user.– Andrew Henle
Jan 23 '18 at 11:32
I want to allow him in all other activities where as he has to run scripts but not to login as root.
– mmk_ind
Jan 23 '18 at 11:51
I want to allow him in all other activities where as he has to run scripts but not to login as root.
– mmk_ind
Jan 23 '18 at 11:51
3
3
A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
– Rui F Ribeiro
Jan 23 '18 at 11:53
A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
– Rui F Ribeiro
Jan 23 '18 at 11:53
Trivial to get around
ALL=!/bin/su
. See: sudo su ## Permission denied
but then ln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
– roaima
Jan 23 '18 at 12:02
Trivial to get around
ALL=!/bin/su
. See: sudo su ## Permission denied
but then ln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
– roaima
Jan 23 '18 at 12:02
|
show 1 more comment
1 Answer
1
active
oldest
votes
For your original question, you will need to exclude /bin/bash
(or whatever is defined as the user's shell in /etc/passwd
), like so:
tomk ALL= ALL,!/bin/su,!/bin/bash
However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s
or sudo -i
, it will not really prevent him/her from getting an interactive shell as root.
From man sudoers
:
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
For your original question, you will need to exclude /bin/bash
(or whatever is defined as the user's shell in /etc/passwd
), like so:
tomk ALL= ALL,!/bin/su,!/bin/bash
However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s
or sudo -i
, it will not really prevent him/her from getting an interactive shell as root.
From man sudoers
:
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.
add a comment |
For your original question, you will need to exclude /bin/bash
(or whatever is defined as the user's shell in /etc/passwd
), like so:
tomk ALL= ALL,!/bin/su,!/bin/bash
However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s
or sudo -i
, it will not really prevent him/her from getting an interactive shell as root.
From man sudoers
:
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.
add a comment |
For your original question, you will need to exclude /bin/bash
(or whatever is defined as the user's shell in /etc/passwd
), like so:
tomk ALL= ALL,!/bin/su,!/bin/bash
However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s
or sudo -i
, it will not really prevent him/her from getting an interactive shell as root.
From man sudoers
:
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.
For your original question, you will need to exclude /bin/bash
(or whatever is defined as the user's shell in /etc/passwd
), like so:
tomk ALL= ALL,!/bin/su,!/bin/bash
However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s
or sudo -i
, it will not really prevent him/her from getting an interactive shell as root.
From man sudoers
:
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that.
For example:bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐
fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in
the user specification.
answered Jan 23 '18 at 13:11
Tom KlinoTom Klino
410719
410719
add a comment |
add a comment |
-account-restrictions, not-root-user, su, sudo
2
A few problems with this approach are mentioned here: unix.stackexchange.com/questions/392483/…
– Guy
Jan 23 '18 at 11:27
If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run via
sudo
doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run viasudo
doesn't have any holes such as using environment variables controlled by the user.– Andrew Henle
Jan 23 '18 at 11:32
I want to allow him in all other activities where as he has to run scripts but not to login as root.
– mmk_ind
Jan 23 '18 at 11:51
3
A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access.
– Rui F Ribeiro
Jan 23 '18 at 11:53
Trivial to get around
ALL=!/bin/su
. See:sudo su ## Permission denied
but thenln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds
– roaima
Jan 23 '18 at 12:02