Hi,
I have a requirement to provide root access but user should not run some specific commands, How it is possible.
following is my configuration at sudoers file,
Cmnd_Alias MYLIMIT = /usr/bin/passwd /sbin/shutdown /usr/bin/reboot /usr/sbin/visudo /bin/vi /usr/bin/vim
test2 ALL=(ALL)NOPASSWD: ALL, !MYLIMIT
%wheel ALL = NOPASSWD:ALL, !MYLIMIT
its not working, following is next attempt
test2 ALL=(ALL)NOPASSWD: !/usr/bin/passwd, !/usr/sbin/visudo ALL
#OR#
test2 ALL=(ALL)NOPASSWD: ALL, !/usr/bin/passwd, !/usr/sbin/visudo
nothing worked, after all attempts following is result
[test2@rhel6-server ~]$ sudo su
Last login: Sat Mar 10 17:15:07 IST 2018 on pts/12
[root@rhel6-server test2]# passwd root
Changing password for user root.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
Methinks you have a syntax error in the Cmnd_Alias as the Cmnd_List should be comma delimited, but the actual reason for your "error" is that you're running the passwd command as root . man su :
Dear RudiC,
very thanks for your prompt response, the reason for my "error" is my biggest problem. its our requirement to give root access but with restriction and users are really giving a headache to me, they just login and do
sudo su
and change in
sudoers
or in
passwd
file to give them rights.
its really difficult to analyse the logs on daily basis, we only came to know when something nasty happened.
please suggest if there is any other alternate solution to this.
That sounds like an offence of company / organisation policies - should those exist. Time to establish at least some sort of rules, no?
Why don't you in sudoers prohibit su for anyone but root so sudo su will fail and be reported?
And, BTW, analysing reports for offences can be made an automated task...
EDIT: Re-reading your post, I see that some root access is necessary. This is exactly what sudo is for, not su . man sudo :
So, you should list the allowed users for execution of a certain limited set of commands, which, btw, should be the method preferred over what you presented above. man sudoers :
Yes Dear, this is violation and 2 are fired as well, but still extra enthusiastic/passionate/committed users are with us. mail is also blocked in servers so no offense reported via email.
just tied hand & legs and ordered to provide this
test2 ALL=(ALL)NOPASSWD: ALL
but users should not do this and that.
now i have only option left to get the list of commands from teams and allow only those via
sudoers
Please correct me if i am wrong or there is any other solution