I have sudo access to one of our test machines and the following are the commands restricted for me:
user_sree@sel8585:~> sudo -l
user_sree's password:
User user_sree may run the following commands on this host:
(ALL) ALL, (ALL) !/bin/sh, !/bin/bash, !/bin/ksh, (ALL) !/bin/su, (ALL) !/usr/bin/passwd, !/usr/sbin/useradd, !/usr/sbin/userdel, !/usr/sbin/usermod,
!/usr/sbin/visudo
Which says I cannot run visudo or /usr/sbin/visudo. And I confirmed this:
user_sree@sel8585:~> sudo /usr/sbin/visudo
Sorry, user user_sree is not allowed to execute '/usr/sbin/visudo' as root on sel8585.
Now, out of curiosity I created a symlink to /usr/sbin/visudo:
ln -s /usr/sbin/visudo myvi`
I tried accessing the sudoers file by calling this soft link and it works fine.
user_sree@sel8585:~> sudo /home/user_sree/myvi
myvi: /etc/sudoers.tmp unchanged
Similarly I was able to able to run other restricted commands by creating softlinks.
If I am to configure sudo for others, how can I stop others from doing this? I do not want to restrict them creating softlinks.
user_sree@sel8585:~> sudo -l | grep bash
(ALL) ALL, (ALL) !/bin/sh, !/bin/bash, !/bin/ksh, (ALL) !/bin/su, (ALL) !/usr/bin/passwd, !/usr/sbin/useradd, !/usr/sbin/userdel, !/usr/sbin/usermod,
Similarly:
user_sree@sel8585:~> sudo sh -c 'ls'
Sorry, user user_sree is not allowed to execute '/usr/bin/sh -c ls' as root on sel8585.
Now with the symlink mybash linked to /bin/bash: (in my system /usr/bin/sh is a link to /bin/bash)
user_sree@sel8585:~> sudo /home/user_sree/mybash -c 'ls'
bin mybash myvi sudoers.back test.pp
user_sree@sel8585:~> ll my*
lrwxrwxrwx 1 user_sree users 9 Jul 16 14:10 mybash -> /bin/bash
lrwxrwxrwx 1 user_sree users 16 Jul 16 14:13 myvi -> /usr/sbin/visudo
P.S:
Cmnd_Alias NSHELLS = /bin/sh,/bin/bash,/bin/ksh
Cmnd_Alias NSU = /bin/su
Cmnd_Alias NCMDS = /usr/bin/passwd,/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/sbin/visudo
user_sree ALL=(ALL) ALL, !NSHELLS, !NSU, !NCMDS
The above are the entries in the /etc/sudoers file.
