Would be enought/possible more or less to use deny commands to secure sudoers user with ALL permission but critical commands?
Im thinking of:
- chattr +i /etc/sudoers
- chattr +i /etc/resolv.conf (securing DNS's)
and, a sudoers files such as .:
#Defaults rootpw
root ALL=(ALL:ALL) ALL
user ALL=(ALL:ALL) ALL
user ALL=(ALL:ALL) NOPASSWD: ! /bin/su
user ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/chattr
user ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/mv
user ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/passwd
----
I just want sudoers users cant take control of root user and at the same time be able to do most root tasks ,
what do you think , is it possible? ..just need to keep resolv.conf and sudoers file locked for sudoers users
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Securing sudoers with deny commands
- dilberts_left_nut
- Administrator
- Posts: 5346
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Securing sudoers with deny commands
Arse about face.
Use it like intended and allow only what is required.
Use it like intended and allow only what is required.
AdrianTM wrote:There's no hacker in my grandma...
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
-
- Posts: 932
- Joined: 2020-05-03 14:16
- Has thanked: 7 times
- Been thanked: 65 times
Re: Securing sudoers with deny commands
That's an illusion of safety, as most of attacks are *not* based on sudo -> so "securing" sudoers file doesn't have much sense.
It was already discussed, but FYI:
1. Closed source software is a primary vector of almost all attacks (99%)
2. Tightly tied to the above: using Flatpak/Appimage/Snap/etc. allows to replace important system libraries, what in turn allows to bypass almost all of the security barriers (like f.e.replacing the libc.so).
You have to choose between security and "convenience" - it's Your decision.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
The_full_story and Nothing_have_changed