Comments on: Sudo FAQ http://polishlinux.org All About GNU/Linux and BSD - reviews, comparisons, articles Sat, 22 Nov 2008 10:17:59 +0000 http://wordpress.org/?v=2.6.3 By: Buchan http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-115746 Buchan Sun, 24 Feb 2008 20:23:54 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-115746 There is no real solution (with open-source software) to allow almost-all commands as root. However, one solution to your real problem, is to allow specific commands, and anything not specifically allowed would be made accessible via an audited shell, such as sudosh2 (http://sf.net/projects/sudosh2), or eash (the more enterprise version of sudosh, but the project is gone, however the source is available in Mandriva's svn repo - the package being maintained by me ...). A TACACS+ based shell would be a better option ... but it would have to be hacked in to quite an extent to be similar to how the command shell on Cisco IOS (for example) handles TACACS+ command authorization ... There is no real solution (with open-source software) to allow almost-all commands as root.

However, one solution to your real problem, is to allow specific commands, and anything not specifically allowed would be made accessible via an audited shell, such as sudosh2 (http://sf.net/projects/sudosh2), or eash (the more enterprise version of sudosh, but the project is gone, however the source is available in Mandriva’s svn repo - the package being maintained by me …).

A TACACS+ based shell would be a better option … but it would have to be hacked in to quite an extent to be similar to how the command shell on Cisco IOS (for example) handles TACACS+ command authorization …

]]> By: Paul http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-113810 Paul Thu, 14 Feb 2008 15:22:47 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-113810 We have a problem with admins always typing "sudo bash" or "sudo tcsh" then doing their stuff as root without any logging. Does anyone know if it's possible to block users' access to *certain* commands, while allowing all other commands? We need this mostly as a reminder of policy, rather than for security. The best I've come up with so far is a daily grep of /var/log/messages.0.gz for offending lines, with an automated email reminder to whoever does it. Thanks. We have a problem with admins always typing “sudo bash” or “sudo tcsh” then doing their stuff as root without any logging.

Does anyone know if it’s possible to block users’ access to *certain* commands, while allowing all other commands? We need this mostly as a reminder of policy, rather than for security.

The best I’ve come up with so far is a daily grep of /var/log/messages.0.gz for offending lines, with an automated email reminder to whoever does it.

Thanks.

]]> By: Sergiy Tsymbal http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-100411 Sergiy Tsymbal Sun, 06 Jan 2008 13:40:36 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-100411 I was also looking for the way to change umask of the user I am sudoing to. Apparently, it is controlled by sudo defaults. To change umask of the user you sudo to (sudo -u useranme) add the following line to /etc/sudoers Defaults>username umask=0002 Regards, Sergiy I was also looking for the way to change umask of the user I am sudoing to.
Apparently, it is controlled by sudo defaults. To change umask of the user you sudo to (sudo -u useranme) add the following line to /etc/sudoers

Defaults>username umask=0002

Regards,
Sergiy

]]> By: Heidi Schmidt http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-23889 Heidi Schmidt Thu, 12 Apr 2007 19:20:52 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-23889 Thanks for the forum. I have been searching for a way to figure out if the .cshrc is ever read on sudo -u username. In my test trial I put umask 022 into the .cshrc file and when I sudo-ed to username and ran umask it was set to 2 I am not sure if it is the /etc/sudoers file, a sudo command line flag or other setting that needs to happen in order for the .cshrc file to be properly sourced upon sudo -u From what I read it looked like resetting environment paths was inherent. I am sudo -u username shell and in that case I want the dot files sourced. Any help appreciated. Thanks Heidi Thanks for the forum. I have been searching for a way to figure out if the .cshrc is ever read on sudo -u username. In my test trial I put umask 022 into the .cshrc file and when I sudo-ed to username and ran umask it was set to 2

I am not sure if it is the /etc/sudoers file, a sudo command line flag or other setting that needs to happen in order for the .cshrc file to be properly sourced upon sudo -u

From what I read it looked like resetting environment paths was inherent. I am sudo -u username shell and in that case I want the dot files sourced.

Any help appreciated.

Thanks
Heidi

]]> By: Jim Budler http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-18040 Jim Budler Fri, 02 Mar 2007 08:18:26 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-18040 Fedora Core 6: Sudo visudo was using vi despite my EDITOR and VISUAL being set to nedit. Simple fix: sudo visudo; Modify env_keep to include VISUAL and EDITOR. Result: sudo visudo uses nedit. Jim Fedora Core 6:

Sudo visudo was using vi despite my EDITOR and VISUAL being set to nedit.

Simple fix:

sudo visudo; Modify env_keep to include VISUAL and EDITOR.

Result: sudo visudo uses nedit.

Jim

]]> By: Venkatt Guhesan http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-17850 Venkatt Guhesan Wed, 28 Feb 2007 19:00:18 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-17850 Also another rarely used command is when you open up GUI applications. Have you ever encountered situations where in Ubuntu you have a graphical windows open and you were trying to copy to/from a directory where it has secure "root" access, and it comes back and tells you that you can't. Well to get around this issue you can use the "gksudo " For example, "gksudo nautilus" will open your file explorer as root... This will allow you to modify as root. But also be aware that you can also do some serious damage as root... Enjoy... Also another rarely used command is when you open up GUI applications. Have you ever encountered situations where in Ubuntu you have a graphical windows open and you were trying to copy to/from a directory where it has secure “root” access, and it comes back and tells you that you can’t. Well to get around this issue you can use the “gksudo ”

For example, “gksudo nautilus” will open your file explorer as root…

This will allow you to modify as root. But also be aware that you can also do some serious damage as root…

Enjoy…

]]> By: ranger http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-17709 ranger Tue, 27 Feb 2007 14:21:25 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-17709 Jochen, for editors, it is effective to add rules for sudoedit, which will be used by sudoedit to allow users to edit files. In this case, sudoedit copies the original file to a temporary location, runs the user's editor (determined from VISUAL or similar) as the user. On exit of the editor, sudoedit will then copy the temporary file over the original file if the temporary copy has changed. So, while there are still some issues with it, it provides access to an editor without providing an avenue for exploit. Also, for circumstances where users must run some kind of interactive application (e.g. installing some proprietary software, etc. etc.) there are audited shells available (which you can provide access to via sudo). Finally, I don't think any article on sudo is complete without noting that current versions of sudo support reading sudo rules from LDAP (which avoids problems with syntax checking, and provides immediate access to new rules across all hosts). Jochen, for editors, it is effective to add rules for sudoedit, which will be used by sudoedit to allow users to edit files. In this case, sudoedit copies the original file to a temporary location, runs the user’s editor (determined from VISUAL or similar) as the user. On exit of the editor, sudoedit will then copy the temporary file over the original file if the temporary copy has changed.

So, while there are still some issues with it, it provides access to an editor without providing an avenue for exploit.

Also, for circumstances where users must run some kind of interactive application (e.g. installing some proprietary software, etc. etc.) there are audited shells available (which you can provide access to via sudo).

Finally, I don’t think any article on sudo is complete without noting that current versions of sudo support reading sudo rules from LDAP (which avoids problems with syntax checking, and provides immediate access to new rules across all hosts).

]]> By: Jesse http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-17689 Jesse Tue, 27 Feb 2007 10:15:13 +0000 http://polishlinux.org/first-steps/root-account/sudo-faq/#comment-17689 I used visudo in ubuntu and it came up with pico. It took me a second to realize what it was. I was expecting vi and I typed :q after I was done looking and I was like "WTF mate?" when it put the text in the middle of the screen even after I esc'd. I used visudo in ubuntu and it came up with pico. It took me a second to realize what it was. I was expecting vi and I typed :q after I was done looking and I was like “WTF mate?” when it put the text in the middle of the screen even after I esc’d.

]]>