0

I need to prevent sudo user from start/restart or stop multiple services.

I'v edited /etc/sudoers:

Cmnd_Alias LIMITED_CMDS=/bin/su,/bin/systemctl stop nginx,/bin/systemctl start nginx,/bin/systemctl restart nginx mytestuser ALL=!LIMITED_CMDS

But he can do like: ln -s /bin/su /tmp/su2 and than use sudo su2 to become a root and execute all.

And also sudo user can execute sudo service stop nginx or /etc/init.d/nginx stop. I of course can list them in Cmnd_Alias too, but what if I need to limit control to multiple services? Too large construction and anyway simlink from /bin/su will do the trick. May be I missed something, but is Linux has a good tool/config to limit user's rights to control some services? I'v googled and found only variants with sudoers file, but this is not what I need

The simple way - do not add sudo rights to user :) but in my case user must be in sudo group.

Improve this question

1 Answer 1

Reset to default
0

It works the opposite direction: add the necessary rights to the user, and no more. What you are trying to do will not work, precisely because the cases you mentioned. If a user has right to do "everything but", it is trivial to exploit the part of "but" you didn't think of.

Any user who has absolute control over the system (i.e. everyone in the sudo group) is by definition a trusted user. If you don't trust the user, remove them from the sudo group, and give them only the rights they absolutely need.

Improve this answer
1
  • Thanks for your answer! I also understand that sudo user is a trusted user. But I simply found this question on github as interview question (I'm at the study stage). And this question confused me. Commented Oct 21, 2019 at 15:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.