Protect a file from a sudoers User

Share your own howto's etc. Not for support questions!
Post Reply
Message
Author
User avatar
bester69
Posts: 1900
Joined: 2015-04-02 13:15
Been thanked: 1 time

Protect a file from a sudoers User

#1 Post by bester69 »

Basic Steps
1- protect with chattr +i file to keep intact
chattr +i <<filetoprotect>>

2- deny chattr execution and su access in sudoers file to user.:
/etc/sudoers

Code: Select all

myuser	ALL=(ALL:ALL) NOPASSWD: ! /usr/bin/chattr
2.1- deny access to root user in sudoers file to user.:

Code: Select all

myuser	ALL=(ALL:ALL) NOPASSWD: ! /bin/su
3- protect sudoers file of user with chattr as root.:
chattr +i /etc/sudoers
-------

Example; of protecting resolv.conf file dns during a gap time period.:

resol_porn.sh
resolv_porn.sh 1 (lock resolv.conf with dns parentcontrol)
resolv_porn.sh 0 (unlock resolv.conf with google dns)

Code: Select all

#!/bin/bash
#
fileproc=/etc/sudoers
filetemp=/tmp/sudoers

sudo cat "$fileproc" > "$filetemp"
sudo chattr -i /etc/sudoers

# Bloquea sudoers
if [ "$1" == "1" ]
then

sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/\/usr\/bin\/chattr/! \/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"
sed -i 's/\/bin\/su/! \/bin\/su/' "$filetemp"

sudo chattr -i /etc/resolv.conf 2> /dev/null
echo "nameserver 185.228.168.168" > /tmp/resolv.conf
echo "nameserver 185.228.169.168" >> /tmp/resolv.conf
cat /tmp/resolv.conf | sudo tee /etc/resolv.conf
sudo chattr +i /etc/resolv.conf 2> /dev/null
fi

# Desbloquea sudoers
if [ "$1" == "0" ]
then
 
sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"

sudo chattr -i /etc/resolv.conf 2> /dev/null
echo "nameserver 8.8.8.8" > /tmp/resolv.conf
echo "nameserver 8.8.4.4" >> /tmp/resolv.conf
cat /tmp/resolv.conf | sudo tee /etc/resolv.conf
fi

if [ -z $(cat $filetemp) ]
then
:
else
cat $filetemp | sudo tee $fileproc
fi

if [ "$1" == "1" ]
then
    sudo chattr +i /etc/sudoers
fi


/etc/cron.hourly/cr_resolv
block resolv.conf from 21pm to 8am

Code: Select all

#!/bin/sh
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
DISPLAY=:0 ; export DISPLAY

# Pone resolv.cond dns para evitar porn

hour=$(date +%H)
if [ "$hour" -gt 21 ] || [ "$hour" -lt 8 ] ; then
    su root -c "/home/myuser/scripts/resol_porn.sh 1"
else
    su root -c "/home/myuser/scripts/resol_porn.sh 0"
fi

bester69 wrote:You wont change my mind when I know Im right, Im not an ...

p.H
Posts: 1884
Joined: 2017-09-17 07:12

Re: Protect a file from a sudoers User

#2 Post by p.H »

This protection is easy to circumvent with sudo privileges.
Rename/move/copy/hardlink/symlink the chattr executable.
sudo -i/-s.
Execute chattr in a script.
Bind mount another file on the protected file.
Redirect DNS queries to another DNS server with iptables/nftables.
Etc.
Last edited by p.H on 2021-06-16 12:39, edited 2 times in total.

User avatar
wizard10000
Posts: 198
Joined: 2019-04-16 23:15
Location: southeastern us
Has thanked: 20 times
Been thanked: 6 times

Re: Protect a file from a sudoers User

#3 Post by wizard10000 »

p.H wrote:This protection is easy to circumvent with sudo privileges...
Yup. bester's a big fan of the immutable bit :mrgreen:
we see things not as they are, but as we are.
-- anais nin

User avatar
sunrat
Global Moderator
Global Moderator
Posts: 3656
Joined: 2006-08-29 09:12
Location: Melbourne, Australia
Has thanked: 3 times
Been thanked: 4 times

Re: Protect a file from a sudoers User

#4 Post by sunrat »

wizard10000 wrote:
p.H wrote:This protection is easy to circumvent with sudo privileges...
Yup. bester's a big fan of the immutable bit :mrgreen:
He is an immutable bit. See his signature! :lol:
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ”
Remember to BACKUP!

User avatar
RU55EL
Posts: 539
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Protect a file from a sudoers User

#5 Post by RU55EL »

Protect a file from a sudoer's User:

Code: Select all

russel@DESKTOP-CK0E8I6:~$ ls > file
russel@DESKTOP-CK0E8I6:~$ ls -l file
-rw-r--r-- 1 russel russel 1539 Jun 16 11:36 file
russel@DESKTOP-CK0E8I6:~$ gpg -c file
[enter good password when prompted]
russel@DESKTOP-CK0E8I6:~$ ls -l file*
-rw-r--r-- 1 russel russel 1539 Jun 16 11:36 file
-rw-r--r-- 1 russel russel  856 Jun 16 11:36 file.gpg
russel@DESKTOP-CK0E8I6:~$ shred file
russel@DESKTOP-CK0E8I6:~$ rm file
russel@DESKTOP-CK0E8I6:~$ ls -l file*
-rw-r--r-- 1 russel russel 856 Jun 16 11:36 file.gpg

p.H
Posts: 1884
Joined: 2017-09-17 07:12

Re: Protect a file from a sudoers User

#6 Post by p.H »

Encryption is not the kind of "protection" discussed in this thread.

User avatar
RU55EL
Posts: 539
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Protect a file from a sudoers User

#7 Post by RU55EL »

I didn't notice any specification as to what type of protection was being discussed. Please forgive me if I missed it. In any case encryption is a simple way to protect a file from anyone. Not to mention that sudo can be configured for individual logins, allowing access to what is required and "protecting" that which should not be accessed by certain sudo users. (Or all sudo users, for that matter.)

p.H
Posts: 1884
Joined: 2017-09-17 07:12

Re: Protect a file from a sudoers User

#8 Post by p.H »

RU55EL wrote:I didn't notice any specification as to what type of protection was being discussed.
Didn't you read the original post carefully before replying ?
It is about preventing a sudoer from modifying a system config file.

User avatar
RU55EL
Posts: 539
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Protect a file from a sudoers User

#9 Post by RU55EL »

[tongue-in-cheek]

Encrypting the configuration file will accomplish that.

[/tongue-in-cheek]

Seriously, wouldn't proper config of sudo for a given user prevent modification of critical configuration files?

p.H
Posts: 1884
Joined: 2017-09-17 07:12

Re: Protect a file from a sudoers User

#10 Post by p.H »

RU55EL wrote:Encrypting the configuration file will accomplish that.
How would the system be able to use the file when it's encrypted ?
RU55EL wrote:Seriously, wouldn't proper config of sudo for a given user prevent modification of critical configuration files?
Of course this is the way to go. Or don't give sudo privileges to untrusted users.

User avatar
RU55EL
Posts: 539
Joined: 2014-04-07 03:42
Location: /home/russel

Re: Protect a file from a sudoers User

#11 Post by RU55EL »

p.H wrote:
RU55EL wrote:Encrypting the configuration file will accomplish that.
How would the system be able to use the file when it's encrypted ?
You did see the [tongue-in-cheek] I posted, didn't you? Sorry if my attempt at humor was unsuccessful.

User avatar
bester69
Posts: 1900
Joined: 2015-04-02 13:15
Been thanked: 1 time

Re: Protect a file from a sudoers User

#12 Post by bester69 »

p.H wrote:This protection is easy to circumvent with sudo privileges.
Rename/move/copy/hardlink/symlink the chattr executable.
sudo -i/-s.
Execute chattr in a script.
Bind mount another file on the protected file.
Redirect DNS queries to another DNS server with iptables/nftables.
Etc.
WTH!!! :x :?
then we cant give full access sudoers ... only to specific commands :x or disabling the sudoers temporary

thanks for it.. i was so happy with my own invent :cry: ,

for sure disabling cp, mv, ln, mount, wouldnt be enought as the user could downdload the binary and run it as sudo...what a disgrace!!
bester69 wrote:You wont change my mind when I know Im right, Im not an ...

User avatar
bester69
Posts: 1900
Joined: 2015-04-02 13:15
Been thanked: 1 time

Re: Protect a file from a sudoers User

#13 Post by bester69 »

this case, we must comment user line in sudoers (myuser ALL=(ALL:ALL) ALL), cos it gives full sudo access and let rest of commands we wish as sudoers
; this way, sudoers only apply to specific added commands... I think this way would make it as long as we dont give sudo acces to some commands like (cp, mv, ln, mount....)

Code: Select all

root	ALL=(ALL:ALL) ALL
#myuser	ALL=(ALL:ALL) ALL

myuser	ALL=(ALL:ALL) NOPASSWD: /sbin/hdparm
myuser	ALL=(ALL:ALL) NOPASSWD: /sbin/resolvconf
myuser	ALL=(ALL:ALL) NOPASSWD: /sbin/ifconfig
....
myuser	ALL=(ALL:ALL) NOPASSWD: /usr/sbin/gparted
myuser	ALL=(ALL:ALL) NOPASSWD: /usr/sbin/hddtemp

The idea is, An User can keep being sudoers but cant alter an specific given file (for example, protected with chattr +i)
Last edited by bester69 on 2021-06-25 18:33, edited 1 time in total.
bester69 wrote:You wont change my mind when I know Im right, Im not an ...

User avatar
bester69
Posts: 1900
Joined: 2015-04-02 13:15
Been thanked: 1 time

Re: Protect a file from a sudoers User

#14 Post by bester69 »

wizard10000 wrote:
p.H wrote:This protection is easy to circumvent with sudo privileges...
Yup. bester's a big fan of the immutable bit :mrgreen:
you really know me very well :mrgreen:
bester69 wrote:You wont change my mind when I know Im right, Im not an ...

p.H
Posts: 1884
Joined: 2017-09-17 07:12

Re: Protect a file from a sudoers User

#15 Post by p.H »

bester69 wrote:then we cant give full access sudoers ... only to specific commands
I agree.

User avatar
bester69
Posts: 1900
Joined: 2015-04-02 13:15
Been thanked: 1 time

Re: Protect a file from a sudoers User

#16 Post by bester69 »

I corrected script, now its working well.:
this version root password is changed automatically by script, so only way to unlock resolv.conf is to wait for window gap time is opened or use a livecd
so we have:
>> window time is opened , user is sudoers for any commands
>> window time is closed , user needs to know root password

resol_porn.sh

Code: Select all

#!/bin/bash
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin
fileproc=/etc/sudoers
filetemp=/tmp/sudoers
lockresol="/etc/resolvlock"
export PATH
DISPLAY=:0 ; export DISPLAY


sudo cat "$fileproc" > "$filetemp"
sudo chattr -i /etc/sudoers


OP="$1"
# $1=2 ES bloquear fuera de crontab sechudle
if  [ "$1" == "2" ] 
then
    OP="1"
    echo "1" | sudo tee $lockresol
fi

# Bloquea sudoers
if [ "$OP" == "1" ]
then
 while read -u 3 line; do
linesed="${line////\\/}"
            case "$line" in 
            *"rootpw"* ) 
    # Descomenta rootpw
            sed  -i "/$linesed/s/^#//" "$filetemp"          
            echo "Es: $line"
            ;;
            * ) : ;;
        esac         
done 3< "$filetemp"

sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/\/usr\/bin\/chattr/! \/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"
sed -i 's/\/bin\/su/! \/bin\/su/' "$filetemp"

sudo chattr -i /etc/resolv.conf 2> /dev/null
echo "nameserver 185.228.168.168" > /tmp/resolv.conf
echo "nameserver 185.228.169.168" >> /tmp/resolv.conf
cat /tmp/resolv.conf | sudo tee /etc/resolv.conf
sudo chattr +i /etc/resolv.conf 2> /dev/null
fi

# Desbloquea sudoers
if [ "$OP" == "0" ]
then
 while read -u 3 line; do
linesed="${line////\\/}"
            case "$line" in 
            *"rootpw"* ) 
# Comenta rootpw
            sed  -i "/$linesed/s/^#*/#/g" "$filetemp"
            echo "Es: $line"
            ;;
            * ) : ;;
        esac         
done 3< "$filetemp"


sed -i 's/! \/usr\/bin\/chattr/\/usr\/bin\/chattr/' "$filetemp"
sed -i 's/! \/bin\/su/\/bin\/su/' "$filetemp"

fi

if [ -z $(cat $filetemp) ]
then
:
else
cat $filetemp | sudo tee $fileproc
fi

newpass="$(cat /dev/urandom | tr -dc 'a-z0-9A-Z' | fold -w 16 | head -n 1)"
if [ "$OP" == "1" ]
then
    echo "root:$newpass" | sudo chpasswd
    sudo chattr +i /etc/sudoers
      else
  :
fi



bester69 wrote:You wont change my mind when I know Im right, Im not an ...

Post Reply