Printable Version of Topic

Click here to view this topic in its original format

Linuxhelp _ Programming in Linux _ Editing sudoers still gives users full access

Posted by: Subby Sep 15 2006, 03:49 PM

I need some help. I am trying to harden a linux pc so that non-root users can not run root level, except for one
I have the following entry in my /etc/sudoers via the visudo command

admin ALL=!/bin/[]*,!/usr/[]*,!/sbin/[]*,/bin/sh /etc/rc5.d/S99AdminApp, NOPASSWD: ALL

So basically, all I want the user to be able to run as from a sudo -u root point of view is /etc/rc5.d/S99AdminApp without being prompted for a password, hence the NOPASSWD. This application also loads at boot-time, thats why its in the RC directory.

Problem I am having is that any user can still run commands like
sudo -u root ls /opt/application even though in the sudo -l is lists

User admin may run the following commands on this host:
(root) !/bin/[]*
(root) !/usr/[]*
(root) !/sbin/[]*
(root) /bin/sh /etc/rc5.d/S99AdminApp
(root) NOPASSWD: ALL


Furthermore, /opt/application is completely isolated from all users except root since I do not want any user to have access to this directory except root.

Any ideas what I am doing wrong.

Thanks
Subby

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)