4

I have tried to restrict user by editing sudoers file M ALL=!/bin/su. I am able to restrict sudo su - but not sudo -i.

roaima
  • 107,089
  • 14
  • 139
  • 261
Mohan
  • 141
  • 1
  • 1
  • 2
  • 2
    A few problems with this approach are mentioned here: https://unix.stackexchange.com/questions/392483/how-to-restrict-some-commands-for-admin-in-linuxcentos – Guy Jan 23 '18 at 11:27
  • If you're trying to ensure a user can't get a root shell, you need to check that every command you allow users to run via `sudo` doesn't have a way to create a shell. For example, most editors have a shell escape to allow a user to run a shell. You also need to make sure any command you do allow users to run via `sudo` doesn't have any holes such as using environment variables controlled by the user. – Andrew Henle Jan 23 '18 at 11:32
  • I want to allow him in all other activities where as he has to run scripts but not to login as root. – Mohan Jan 23 '18 at 11:51
  • 3
    A seasoned user will know how to get around those limitations easily. They are mere annoyances. I would refine better the security model defining wether certain users need or not to have root access. – Rui F Ribeiro Jan 23 '18 at 11:53
  • 1
    Trivial to get around `ALL=!/bin/su`. See: `sudo su ## Permission denied` but then `ln -s /bin/su /tmp/ouch; sudo /tmp/ouch ## Succeeds` – roaima Jan 23 '18 at 12:02
  • Adding to @Andrew’s comment, the limitations he mentions are why you should use `sudoedit` and the various environment-cleaning features of `sudo`. – Stephen Kitt Jan 23 '18 at 12:14

1 Answers1

3

For your original question, you will need to exclude /bin/bash (or whatever is defined as the user's shell in /etc/passwd), like so:

tomk ALL= ALL,!/bin/su,!/bin/bash

However(!!!), as stated already in the comments to your question, even though this will deny the user from running sudo -s or sudo -i, it will not really prevent him/her from getting an interactive shell as root.

From man sudoers:

Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example:

bill    ALL = ALL, !SU, !SHELLS

Doesn't really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. There‐ fore, these kind of restrictions should be considered advisory at best (and reinforced by policy).

In general, if a user has sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell (or making their own copy of a shell) regardless of any ‘!’ elements in the user specification.

Tom Klino
  • 832
  • 4
  • 13
  • 25