Help Limit Sudo Access For Script
I have a developer on my Linux server who needs to have a small custom Bash script ran manually which lives in /etc/init.d/ folder:
Code:
[root@cq init.d]# ls -l myscript So I just want this user to be able to run this scrip as sudo but have sudo limit her ability to what she can and can't do as an elevated user. Thanks for any info. |
Not difficult. In your sudoers, just add:
Code:
herUsername ALL=(ALL) /path/to/her/script However, you probably want to ensure she doesn't have write access to the script (otherwise she could put 'sh' in there and get a full shell!). So you want to take a copy of her script, make sure she can't alter the copy, and then allow her to run the copy as sudo. |
...additionally:
Quote:
|
Indeed; some cmds/tools do allow (or can be 'crashed' to allow) access to a shell.
Have a good read of the sudoers page http://linux.die.net/man/5/sudoers, with special ref to the Security Notes & Preventing Shell Escapes sections at the bottom there ... Note that the perms you've got at the moment allow anyone to run it, without sudo... You could possibly create a dedicated group for just running that file and only put that one user in that group and use group execute perms; no need for sudo. |
Quote:
One thing to restrict is parameters. The script may be subject to something like sudo script '`/usr/bin/sh`' Or some other shenanigans with parameters, environment, or other substitutions... |
Quote:
|
All times are GMT -5. The time now is 05:53 PM. |