1. Home
  2. Linux systems
  3. Linux security

Recipe 5.14 Restricting root's Abilities via sudo

5.14.1 Problem

You want to let a user run all commands as root except for specific exceptions, such as su.

5.14.2 Solution

Don't.

Instead, list all the permissible commands explicitly in /etc/sudoers. Don't try the reverse?letting the user run all commands as root "except these few"?which is prohibitively difficult to do securely.

5.14.3 Discussion

It's tempting to try excluding dangerous commands with the "!" syntax:

/etc/sudoers:
smith  ALL = (root) !/usr/bin/su ...

but this technique is fraught with problems. A savvy user can easily get around it by renaming the forbidden executables:

smith$ ln -s /usr/bin/su gimmeroot
smith$ sudo gimmeroot

Instead, we recommend listing all acceptable commands individually, making sure that none have shell escapes.

5.14.4 See Also

sudo(8), sudoers(5).



    		Preface
    		Chapter 1. System Snapshots with Tripwire
    		Chapter 2. Firewalls with iptables and ipchains
    		Chapter 3. Network Access Control
    		Chapter 4. Authentication Techniques and Infrastructures
    		Chapter 5. Authorization Controls
    		Recipe 5.1 Running a root Login Shell
    		Recipe 5.2 Running X Programs as root
    		Recipe 5.3 Running Commands as Another User via sudo
    		Recipe 5.4 Bypassing Password Authentication in sudo
    		Recipe 5.5 Forcing Password Authentication in sudo
    		Recipe 5.6 Authorizing per Host in sudo
    		Recipe 5.7 Granting Privileges to a Group via sudo
    		Recipe 5.8 Running Any Program in a Directory via sudo
    		Recipe 5.9 Prohibiting Command Arguments with sudo
    		Recipe 5.10 Sharing Files Using Groups
    		Recipe 5.11 Permitting Read-Only Access to a Shared File via sudo
    		Recipe 5.12 Authorizing Password Changes via sudo
    		Recipe 5.13 Starting/Stopping Daemons via sudo
    		Recipe 5.14 Restricting root's Abilities via sudo
    		Recipe 5.15 Killing Processes via sudo
    		Recipe 5.16 Listing sudo Invocations
    		Recipe 5.17 Logging sudo Remotely
    		Recipe 5.18 Sharing root Privileges via SSH
    		Recipe 5.19 Running root Commands via SSH
    		Recipe 5.20 Sharing root Privileges via Kerberos su
    		Chapter 6. Protecting Outgoing Network Connections
    		Chapter 7. Protecting Files
    		Chapter 8. Protecting Email
    		Chapter 9. Testing and Monitoring
    		Colophon