5

How can I prevent a sudoer from editing the /etc/sudoer file?

Bart De Vos
  • 18,061
regmaster
  • 77

5 Answers5

13

This depends on how much access you have given people who use sudo. If you have given people sufficient privilege to enable them to use sudo in an unrestricted manner then you pretty much have to trust them.

You can explicitly deny access to the visudo command 

sudouser ALL=ALL, !/usr/sbin/visudo

then

$ sudo visudo
[sudo] password for sudouser:
Sorry, user sudouser is not allowed to execute '/usr/sbin/visudo' as root on host1.lan

however this doesn't stop people from, for example, running a shell and then running visudo

sudo -s
visudo

Bingo !

The only other solution is to reduce the scope of people's access via sudo. To do this you would have to analyse their privilege requirements and give them access via sudo to only those commands that they really need by use of command aliases etc.

user9517
  • 116,228
  • If I understand the OP right, he means he want to restrict an user to edit /etc/sudoers file directly. – quanta Sep 05 '11 at 07:52
  • 7
    The answer is the same either way. Once you give people sufficient access you can't stop them doing whatever they want. – user9517 Sep 05 '11 at 07:54
  • what I have add in /etc/sudoers are: !/bin/texteditor /etc/sudoers and it works, but the messy part is I have to find out all editor that is installed in the system. – regmaster Sep 06 '11 at 07:28
  • @regmaster: If you allow your sudoers to use sudo -s then they will still be able to edit it because they have a root shell. – user9517 Sep 06 '11 at 09:15
  • @lain I have disable that feature too with adding below line: `Cmnd_Alias NSHELLS = /bin/sh, /bin/bash, /sbin/nologin, /bin/tcsh, /bin/csh, /bin/zsh, /bin/ksh

    Cmnd_Alias NSU = /bin/su

    username ALL=(ALL) NOPASSWD: ALL, !NSHELLS, !NSU`

     – regmaster Sep 09 '11 at 07:18
3

Using traditional unix permissions, I think that is hard: as long as you can run any command via sudo that will allow you to do editing[*], then you're kinda screwed.

There are other security models available in Linux, though not so widely deployed and configured; for example, SELinux and AppArmour. You might be able to configure those to restrict access to what you desire.

Starting with a goal of "I want my sudo users to be able to do anything" and then taking away certain privileges is probably a hard way to do things: there are many ways to modify sudoers that don't involve directly editing (for example, replace the mail startup script with a script that i) copies over a new sudoers and then starts sendmail; reboot system; voila!)

In that sense, if you trust your users to do anything to your system, then you have to trust them to do anything to your system (on a technical level, at least).

Ben Clifford
  • 256
  • +1 for mentioning both SELinux and AppArmor, it's the only way to go once you've handed the root keys to a user through sudo :) – lynxman Sep 05 '11 at 12:08
0

Another approach: restrict All and let what you need available user_sample ALL=!ALL,/bin/ls,/bin/cat and restrict permission access to /etc/sudoers file (400)

Olav
  • 1
0

Bit clunky, but you could set up another machine to ssh in to your box(es) and alert you if there's a change, or if it can't ssh in. Gives an attacker a small window of opportunity... but is a reduction in risk. Might not solve your particular case at all though.

Tom Newton
  • 4,181
0

I may be late but seems, this might help others. Prevents sudo user from editing sudoers file.

sudouser ALL=ALL, !/usr/sbin/visudo, !/usr/bin/vim /etc/sudoers

make sure to list down all the available editors.

Avanish Kumar
  • 1