huyvl3-fptcloud
Flight Engineer
Flight Engineer
  • 1,835 Views

Host restriction of sudoers

Hi everyone, I don't quite understand the "host restriction" part of the sudoers file. The remaining parts (RunAs, Cmd) are easy to understand, but this "host" part is really difficult to understand. How to take advantage of sudoers "Host_List" function? The definition is difficult to understand and when I think about it I feel it is meaningless. It's like this ALL value is meaningless because I can't make it to blacklist/whitelist.

 

 Host_List ::= Host |
                   Host ',' Host_List

     Host ::= '!'* host name |
              '!'* ip_addr |
              '!'* network(/netmask)? |
              '!'* +netgroup |
              '!'* Host_Alias

     A Host_List is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with ‘+’) and other aliases.  Again, the value of an item may be negated with the ‘!’ operator.  Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used when match‐ing.  If you specify a network number without a netmask, sudo will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network interfaces, will use the netmask of that interface.  The netmask may be specified either in standard IP address notation (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation (number of bits, e.g., 24 or 64).  A host name may include shell-style wildcards (see the Wildcards section below), but unless the host name command on your machine returns the fully qualified host name, you'll need to use the fqdn flag for wildcards to be useful.  Note that sudo only inspects actual network interfaces; this means that IP address 127.0.0.1 (localhost) will never match.  Also, the host name “localhost” will only match if that is the actual host name, which is usually only the case for non-networked systems.

 

The problem is too easy to understand

 

admin    ALL=(ALL)   ALL

 

Labels (1)
Tags (1)
0 Kudos
6 Replies
shura
Flight Engineer
Flight Engineer
  • 1,688 Views

Hello huyvl3-fptcloud

That's how it works. The places where you can specify the host in sudoers are so that you can use the same sudoers files across multiple hosts and give different access to different things depending on which host the commands are run. I do not think that sudo knows anything about ssh access from different hosts.

I hope its help you.

Good luck

huyvl3-fptcloud
Flight Engineer
Flight Engineer
  • 1,685 Views

Hi @shura, can you give some examples of "host restriction" with this "Host_List" function? Because besides the ALL value, I don't know what value to put in.

0 Kudos
shura
Flight Engineer
Flight Engineer
  • 1,682 Views

Hi.  Something like this:

Host_Alias RHOST = rhost1.company.nl, 192.168.0.13
Cmnd_Alias PMAP = /usr/sbin/postmap
Ruser RHOST=(ALL) PMAP

 

Best regards

0 Kudos
huyvl3-fptcloud
Flight Engineer
Flight Engineer
  • 1,680 Views

The IP address mentioned in the Host_Alias ​​line is the IP of the current machine. I am very sure about this because I have seen this example already. So what is the difference between leaving ALL versus host_name/ip? Do you mean it implements whitelist functionality? @@

0 Kudos
shura
Flight Engineer
Flight Engineer
  • 1,674 Views

Hi

Think, please, about networked root fs and different behavor of sudoer's at different systems

Good luck

0 Kudos
huyvl3-fptcloud
Flight Engineer
Flight Engineer
  • 1,683 Views

I mean if it can't be adjusted then why does it exist in the config file instead of hiding it altogether?

0 Kudos
Join the discussion
You must log in to join this conversation.