Ulf Volmer via FreeIPA-users wrote: > On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote: > >> I don't want my users to become root with simply executing the 'sudo >> -i' command so they can execute all root commands. Users should only >> execute with sudo the allowed defined commands. >> I'm able to prevent them from executing 'sudo su -', but I didn't find >> any informations about forbidding 'sudo -i'. > > There is not good solution for. > > You can try something like > > username ALL=(ALL) ALL, !/usr/bin/bash, !/usr/bin/vi > > But you have to specify all dangerous command like vi, strace and so on. > So please avoid this. To be safe, you have to define a whitelist of > commands. Or to trust your users.
HBAC can do this better. HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule enabled. If you disable or delete it then nobody will do anything so be careful. Everything, including ssh, is denied by default without this rule. So you'll need to create rules to allow the services you want, for the users/groups you want, on the hosts you want. There is also a rule-level glob for all users/groups and all hosts/hostgroups. So it can be as fine-grained as you'd like. You have to be very careful with sudo because users can be very crafty. If they can call cp, ln or mv with sudo then they can create their own /usr/bin/rcritsh which could allow them to do what they want because it isn't in the prohibited. chmod can also be used in unexpected ways. The sudoers man page has a lot to say about ! under SECURITY NOTES. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
