Ulf Volmer via FreeIPA-users wrote:
> On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote:
> 
>> I don't want my users to become root with simply executing the 'sudo
>> -i' command so they can execute all root commands. Users should only
>> execute with sudo the allowed defined commands.
>> I'm able to prevent them from executing 'sudo su -', but I didn't find
>> any informations about forbidding 'sudo -i'.
> 
> There is not good solution for.
> 
> You can try something like
> 
> username ALL=(ALL)  ALL, !/usr/bin/bash, !/usr/bin/vi
> 
> But you have to specify all dangerous command like vi, strace and so on.
> So please avoid this. To be safe, you have to define a whitelist of
> commands. Or to trust your users.

HBAC can do this better.

HBAC controls who is allowed to use PAM services. sudo-i is a PAM
service. It is allowed now, I'm assuming, because you have the HBAC
allow_all rule enabled.

If you disable or delete it then nobody will do anything so be careful.
Everything, including ssh, is denied by default without this rule.

So you'll need to create rules to allow the services you want, for the
users/groups you want, on the hosts you want. There is also a rule-level
glob for all users/groups and all hosts/hostgroups. So it can be as
fine-grained as you'd like.

You have to be very careful with sudo because users can be very crafty.
If they can call cp, ln or mv with sudo then they can create their own
/usr/bin/rcritsh which could allow them to do what they want because it
isn't in the prohibited. chmod can also be used in unexpected ways. The
sudoers man page has a lot to say about ! under SECURITY NOTES.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to