Block a command from sudo user












9















I don't need an administrator to change my root password. I don't want any sudo user to execute this command:



sudo passwd $root


I have tried it in the sudoers file using the following command:



%sudo ALL=(ALL) ALL, !/usr/bin/passwd $root


How can I block it?






sudo root







share|improve this question

























  • Do you mean that you have more than one sudo-able user in your system? Or something else? Please, edit the question to provide any new information.

    – edwin
    Jul 21 '14 at 20:09
















9















I don't need an administrator to change my root password. I don't want any sudo user to execute this command:



sudo passwd $root


I have tried it in the sudoers file using the following command:



%sudo ALL=(ALL) ALL, !/usr/bin/passwd $root


How can I block it?






sudo root







share|improve this question

























  • Do you mean that you have more than one sudo-able user in your system? Or something else? Please, edit the question to provide any new information.

    – edwin
    Jul 21 '14 at 20:09














9












9








9


4






I don't need an administrator to change my root password. I don't want any sudo user to execute this command:



sudo passwd $root


I have tried it in the sudoers file using the following command:



%sudo ALL=(ALL) ALL, !/usr/bin/passwd $root


How can I block it?






sudo root







share|improve this question
















I don't need an administrator to change my root password. I don't want any sudo user to execute this command:



sudo passwd $root


I have tried it in the sudoers file using the following command:



%sudo ALL=(ALL) ALL, !/usr/bin/passwd $root


How can I block it?






sudo root




sudo root






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jul 21 '14 at 18:50









Parto

9,4561965105




9,4561965105










asked Jul 21 '14 at 15:36









Magesh ArumugamMagesh Arumugam

101115




101115













  • Do you mean that you have more than one sudo-able user in your system? Or something else? Please, edit the question to provide any new information.

    – edwin
    Jul 21 '14 at 20:09



















  • Do you mean that you have more than one sudo-able user in your system? Or something else? Please, edit the question to provide any new information.

    – edwin
    Jul 21 '14 at 20:09

















Do you mean that you have more than one sudo-able user in your system? Or something else? Please, edit the question to provide any new information.

– edwin
Jul 21 '14 at 20:09





Do you mean that you have more than one sudo-able user in your system? Or something else? Please, edit the question to provide any new information.

– edwin
Jul 21 '14 at 20:09










2 Answers
2






active

oldest

votes


















12














According to sudoers manual:



   It is generally not effective to "subtract" commands from ALL using the

   ’!’ operator.  A user can trivially circumvent this by copying the

   desired command to a different name and then executing that.  For

   example:



       bill        ALL = ALL, !SU, !SHELLS



   Doesn’t really prevent bill from running the commands listed in SU or

   SHELLS since he can simply copy those commands to a different name, or

   use a shell escape from an editor or other program.  Therefore, these

   kind of restrictions should be considered advisory at best (and

   reinforced by policy).


This is why your sudoers policy doesn't work.



If you would like to prevent user to gain root permission and change its password, try this procedure:





  • Assuming your sudoers contains this directive:



     root    ALL=(ALL:ALL) ALL
    
 %sudo   ALL=(ALL:ALL) ALL



  • Assuming your user name is foo, his groups are foo and sudo. groups command output is:



    foo sudo


  • Remove user foo from sudo group: gpasswd -d foo sudo after this, user foo can not run any command with sudo.



  • Edit sudoers file. Use this command:



    sudo visudo -f /etc/sudoers.d/foo



  • Define user foo permission, for example:



    foo ALL=/usr/bin, !/usr/bin/passwd, !/usr/bin/su


    This means that user foo may run any commands in the directory /usr/bin/ except passwd and su command.
    Note: If the user foo wants to change his password, can run passwd command without sudo.




  • Another example of user foo permission:



    foo ALL =/usr/bin, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root


    This means that user foo may run any commands in the directory /usr/bin/ and is allowed to change anyone’s password except for root on ALL machines.




You can define groups of command by define Cmnd_Aliases and create "levels of permissions". You can found useful examples in EXAMPLE section of sudoers manual, and here is a useful link about how to use sudoers.






share|improve this answer


























  • I had to do foo ALL=/usr/bin/*, !/usr/bin/passwd any idea why that's the case?

    – clurect
    Sep 26 '17 at 18:13





















0














add command alias via visudo:



Cmnd_Alias PASSWD=/usr/bin/passwd

Cmnd_Alias SU=/bin/su


add restrictions via visudo:



%nopasswdgroup ALL = ALL, !PASSWD, !SU


add user to group called nopasswdgroup:



usermod -aG nopasswdgroup nopasswduser





share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f500679%2fblock-a-command-from-sudo-user%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    12














    According to sudoers manual:



       It is generally not effective to "subtract" commands from ALL using the
    
   ’!’ operator.  A user can trivially circumvent this by copying the
    
   desired command to a different name and then executing that.  For
    
   example:
    

    
       bill        ALL = ALL, !SU, !SHELLS
    

    
   Doesn’t really prevent bill from running the commands listed in SU or
    
   SHELLS since he can simply copy those commands to a different name, or
    
   use a shell escape from an editor or other program.  Therefore, these
    
   kind of restrictions should be considered advisory at best (and
    
   reinforced by policy).


    This is why your sudoers policy doesn't work.



    If you would like to prevent user to gain root permission and change its password, try this procedure:





    • Assuming your sudoers contains this directive:



       root    ALL=(ALL:ALL) ALL
      
 %sudo   ALL=(ALL:ALL) ALL



    • Assuming your user name is foo, his groups are foo and sudo. groups command output is:



      foo sudo


    • Remove user foo from sudo group: gpasswd -d foo sudo after this, user foo can not run any command with sudo.



    • Edit sudoers file. Use this command:



      sudo visudo -f /etc/sudoers.d/foo



    • Define user foo permission, for example:



      foo ALL=/usr/bin, !/usr/bin/passwd, !/usr/bin/su


      This means that user foo may run any commands in the directory /usr/bin/ except passwd and su command.
      Note: If the user foo wants to change his password, can run passwd command without sudo.




    • Another example of user foo permission:



      foo ALL =/usr/bin, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root


      This means that user foo may run any commands in the directory /usr/bin/ and is allowed to change anyone’s password except for root on ALL machines.




    You can define groups of command by define Cmnd_Aliases and create "levels of permissions". You can found useful examples in EXAMPLE section of sudoers manual, and here is a useful link about how to use sudoers.






    share|improve this answer


























    • I had to do foo ALL=/usr/bin/*, !/usr/bin/passwd any idea why that's the case?

      – clurect
      Sep 26 '17 at 18:13


















    12














    According to sudoers manual:



       It is generally not effective to "subtract" commands from ALL using the
    
   ’!’ operator.  A user can trivially circumvent this by copying the
    
   desired command to a different name and then executing that.  For
    
   example:
    

    
       bill        ALL = ALL, !SU, !SHELLS
    

    
   Doesn’t really prevent bill from running the commands listed in SU or
    
   SHELLS since he can simply copy those commands to a different name, or
    
   use a shell escape from an editor or other program.  Therefore, these
    
   kind of restrictions should be considered advisory at best (and
    
   reinforced by policy).


    This is why your sudoers policy doesn't work.



    If you would like to prevent user to gain root permission and change its password, try this procedure:





    • Assuming your sudoers contains this directive:



       root    ALL=(ALL:ALL) ALL
      
 %sudo   ALL=(ALL:ALL) ALL



    • Assuming your user name is foo, his groups are foo and sudo. groups command output is:



      foo sudo


    • Remove user foo from sudo group: gpasswd -d foo sudo after this, user foo can not run any command with sudo.



    • Edit sudoers file. Use this command:



      sudo visudo -f /etc/sudoers.d/foo



    • Define user foo permission, for example:



      foo ALL=/usr/bin, !/usr/bin/passwd, !/usr/bin/su


      This means that user foo may run any commands in the directory /usr/bin/ except passwd and su command.
      Note: If the user foo wants to change his password, can run passwd command without sudo.




    • Another example of user foo permission:



      foo ALL =/usr/bin, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root


      This means that user foo may run any commands in the directory /usr/bin/ and is allowed to change anyone’s password except for root on ALL machines.




    You can define groups of command by define Cmnd_Aliases and create "levels of permissions". You can found useful examples in EXAMPLE section of sudoers manual, and here is a useful link about how to use sudoers.






    share|improve this answer


























    • I had to do foo ALL=/usr/bin/*, !/usr/bin/passwd any idea why that's the case?

      – clurect
      Sep 26 '17 at 18:13
















    12












    12








    12







    According to sudoers manual:



       It is generally not effective to "subtract" commands from ALL using the
    
   ’!’ operator.  A user can trivially circumvent this by copying the
    
   desired command to a different name and then executing that.  For
    
   example:
    

    
       bill        ALL = ALL, !SU, !SHELLS
    

    
   Doesn’t really prevent bill from running the commands listed in SU or
    
   SHELLS since he can simply copy those commands to a different name, or
    
   use a shell escape from an editor or other program.  Therefore, these
    
   kind of restrictions should be considered advisory at best (and
    
   reinforced by policy).


    This is why your sudoers policy doesn't work.



    If you would like to prevent user to gain root permission and change its password, try this procedure:





    • Assuming your sudoers contains this directive:



       root    ALL=(ALL:ALL) ALL
      
 %sudo   ALL=(ALL:ALL) ALL



    • Assuming your user name is foo, his groups are foo and sudo. groups command output is:



      foo sudo


    • Remove user foo from sudo group: gpasswd -d foo sudo after this, user foo can not run any command with sudo.



    • Edit sudoers file. Use this command:



      sudo visudo -f /etc/sudoers.d/foo



    • Define user foo permission, for example:



      foo ALL=/usr/bin, !/usr/bin/passwd, !/usr/bin/su


      This means that user foo may run any commands in the directory /usr/bin/ except passwd and su command.
      Note: If the user foo wants to change his password, can run passwd command without sudo.




    • Another example of user foo permission:



      foo ALL =/usr/bin, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root


      This means that user foo may run any commands in the directory /usr/bin/ and is allowed to change anyone’s password except for root on ALL machines.




    You can define groups of command by define Cmnd_Aliases and create "levels of permissions". You can found useful examples in EXAMPLE section of sudoers manual, and here is a useful link about how to use sudoers.






    share|improve this answer















    According to sudoers manual:



       It is generally not effective to "subtract" commands from ALL using the
    
   ’!’ operator.  A user can trivially circumvent this by copying the
    
   desired command to a different name and then executing that.  For
    
   example:
    

    
       bill        ALL = ALL, !SU, !SHELLS
    

    
   Doesn’t really prevent bill from running the commands listed in SU or
    
   SHELLS since he can simply copy those commands to a different name, or
    
   use a shell escape from an editor or other program.  Therefore, these
    
   kind of restrictions should be considered advisory at best (and
    
   reinforced by policy).


    This is why your sudoers policy doesn't work.



    If you would like to prevent user to gain root permission and change its password, try this procedure:





    • Assuming your sudoers contains this directive:



       root    ALL=(ALL:ALL) ALL
      
 %sudo   ALL=(ALL:ALL) ALL



    • Assuming your user name is foo, his groups are foo and sudo. groups command output is:



      foo sudo


    • Remove user foo from sudo group: gpasswd -d foo sudo after this, user foo can not run any command with sudo.



    • Edit sudoers file. Use this command:



      sudo visudo -f /etc/sudoers.d/foo



    • Define user foo permission, for example:



      foo ALL=/usr/bin, !/usr/bin/passwd, !/usr/bin/su


      This means that user foo may run any commands in the directory /usr/bin/ except passwd and su command.
      Note: If the user foo wants to change his password, can run passwd command without sudo.




    • Another example of user foo permission:



      foo ALL =/usr/bin, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root


      This means that user foo may run any commands in the directory /usr/bin/ and is allowed to change anyone’s password except for root on ALL machines.




    You can define groups of command by define Cmnd_Aliases and create "levels of permissions". You can found useful examples in EXAMPLE section of sudoers manual, and here is a useful link about how to use sudoers.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Feb 14 '17 at 14:01









    muru

    1




    1










    answered Jul 21 '14 at 21:04









    LetyLety

    4,98521730




    4,98521730













    • I had to do foo ALL=/usr/bin/*, !/usr/bin/passwd any idea why that's the case?

      – clurect
      Sep 26 '17 at 18:13





















    • I had to do foo ALL=/usr/bin/*, !/usr/bin/passwd any idea why that's the case?

      – clurect
      Sep 26 '17 at 18:13



















    I had to do foo ALL=/usr/bin/*, !/usr/bin/passwd any idea why that's the case?

    – clurect
    Sep 26 '17 at 18:13







    I had to do foo ALL=/usr/bin/*, !/usr/bin/passwd any idea why that's the case?

    – clurect
    Sep 26 '17 at 18:13















    0














    add command alias via visudo:



    Cmnd_Alias PASSWD=/usr/bin/passwd
    
Cmnd_Alias SU=/bin/su


    add restrictions via visudo:



    %nopasswdgroup ALL = ALL, !PASSWD, !SU


    add user to group called nopasswdgroup:



    usermod -aG nopasswdgroup nopasswduser





    share|improve this answer




























      0














      add command alias via visudo:



      Cmnd_Alias PASSWD=/usr/bin/passwd
      
Cmnd_Alias SU=/bin/su


      add restrictions via visudo:



      %nopasswdgroup ALL = ALL, !PASSWD, !SU


      add user to group called nopasswdgroup:



      usermod -aG nopasswdgroup nopasswduser





      share|improve this answer


























        0












        0








        0







        add command alias via visudo:



        Cmnd_Alias PASSWD=/usr/bin/passwd
        
Cmnd_Alias SU=/bin/su


        add restrictions via visudo:



        %nopasswdgroup ALL = ALL, !PASSWD, !SU


        add user to group called nopasswdgroup:



        usermod -aG nopasswdgroup nopasswduser





        share|improve this answer













        add command alias via visudo:



        Cmnd_Alias PASSWD=/usr/bin/passwd
        
Cmnd_Alias SU=/bin/su


        add restrictions via visudo:



        %nopasswdgroup ALL = ALL, !PASSWD, !SU


        add user to group called nopasswdgroup:



        usermod -aG nopasswdgroup nopasswduser






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 14 '17 at 14:02









        shcherbakshcherbak

        328211




        328211






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f500679%2fblock-a-command-from-sudo-user%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Human spaceflight

            Image
            Human spaceflight From Wikipedia, the free encyclopedia Jump to navigation Jump to search "Space traveler" redirects here. For other uses, see Space traveler (disambiguation). @media all and (max-width:720px){.mw-parser-output .tmulti>.thumbinner{width:100%!important;max-width:none!important}.mw-parser-output .tmulti .tsingle{float:none!important;max-width:none!important;width:100%!important;text-align:center}} Apollo 11 crewmember Buzz Aldrin on the Moon, 1969 International Space Station crewmember Tracy Caldwell Dyson views the Earth, 2010 Space Shuttle Discovery heads into space with a crew aboard, STS-121 in 2006 Inside a space suit on the Canadarm, 1993 Human spaceflight (also referred to as crewed spaceflight or manned spaceflight ) is space travel with a crew or passengers aboard the spacecraft. Spacecraft carrying people may be operated directly, by human crew, or it may be e
            Read more

            Can not write log (Is /dev/pts mounted?) - openpty in Ubuntu-on-Windows?

            Image
            0 1 What exactly does the error message beginning with E: mean? I assume it has to do with the file structure on Ubuntu-on-Windows, but what exactly? The following package was automatically installed and is no longer required: os-prober Use 'apt-get autoremove' to remove it. The following extra packages will be installed: libxslt1.1 The following NEW packages will be installed: libxslt1.1 xmlstarlet 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 435 kB of archives. After this operation, 1023 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main libxslt1.1 amd64 1.1.28-2build1 [145 kB] Get:2 http://archive.ubuntu.com/ubuntu/ trusty/universe xmlstarlet amd64 1.5.0-1 [290 kB]
            Read more

            File:DeusFollowingSea.jpg

            Image
            File:DeusFollowingSea.jpg From Wikipedia, the free encyclopedia Jump to navigation Jump to search File File history File usage No higher resolution available. DeusFollowingSea.jpg ‎ (238 × 211 pixels, file size: 12 KB, MIME type: image/jpeg ) Summary [ edit ] Media data and Non-free use rationale Description Cover art of the Deus CD Following Sea Author or copyright owner Deus Source (WP:NFCC#4) rocksucker.co.uk Date of publication 2012 Use in article (WP:NFCC#7) Following Sea Purpose of use in article (WP:NFCC#8) to serve as the primary means of visual identification at the top of the article dedicated to the work in question. Not replaceable with free media because (WP:NFCC#1) n.a. Minimal use (WP:NFCC#3) Low res image used in infobox of the article on the album Respect for commercial opportunities (WP:NFCC#2) n.a. Fair use Fair use of co
            Read more