4

I have tried to restrict user by editing sudoers file M ALL=!/bin/su. I am able to restrict sudo su - but not sudo -i.

Chris Davies
  • 116,213
  • 16
  • 160
  • 287
Mohan
  • 141
  • 2
    A few problems with this approach are mentioned here: https://unix.stackexchange.com/questions/392483/how-to-restrict-some-commands-for-admin-in-linuxcentos – Guy Jan 23 '18 at 11:27
  • If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run via sudo doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run via sudo doesn't have any holes such as using environment variables controlled by the user. – Andrew Henle Jan 23 '18 at 11:32
  • I want to allow him in all other activities where as he has to run scripts but not to login as root. – Mohan Jan 23 '18 at 11:51
  • 3
    A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access. – Rui F Ribeiro Jan 23 '18 at 11:53
  • 1
    Trivial to get around ALL=!/bin/su. See: sudo su ## Permission denied but then ln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds – Chris Davies Jan 23 '18 at 12:02
  • Adding to @Andrew’s comment, the limitations he mentions are why you should use sudoedit and the various environment-cleaning features of sudo. – Stephen Kitt Jan 23 '18 at 12:14

1 Answers1

3

For your original question, you will need to exclude /bin/bash (or whatever is defined as the user's shell in /etc/passwd), like so:

tomk ALL= ALL,!/bin/su,!/bin/bash

However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s or sudo -i, it will not really prevent him/her from getting an interactive shell as root.

From man sudoers:

Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill    ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐ fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in the user specification.

Tom Klino
  • 842