- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- 1,835 Views
Host restriction of sudoers
Hi everyone, I don't quite understand the "host restriction" part of the sudoers file. The remaining parts (RunAs, Cmd) are easy to understand, but this "host" part is really difficult to understand. How to take advantage of sudoers "Host_List" function? The definition is difficult to understand and when I think about it I feel it is meaningless. It's like this ALL value is meaningless because I can't make it to blacklist/whitelist.
Host_List ::= Host |
Host ',' Host_List
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* +netgroup |
'!'* Host_Alias
A Host_List is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with ‘+’) and other aliases. Again, the value of an item may be negated with the ‘!’ operator. Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used when match‐ing. If you specify a network number without a netmask, sudo will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network interfaces, will use the netmask of that interface. The netmask may be specified either in standard IP address notation (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation (number of bits, e.g., 24 or 64). A host name may include shell-style wildcards (see the Wildcards section below), but unless the host name command on your machine returns the fully qualified host name, you'll need to use the fqdn flag for wildcards to be useful. Note that sudo only inspects actual network interfaces; this means that IP address 127.0.0.1 (localhost) will never match. Also, the host name “localhost” will only match if that is the actual host name, which is usually only the case for non-networked systems.
The problem is too easy to understand
admin ALL=(ALL) ALL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- 1,688 Views
Hello huyvl3-fptcloud
That's how it works. The places where you can specify the host in sudoers are so that you can use the same sudoers files across multiple hosts and give different access to different things depending on which host the commands are run. I do not think that sudo knows anything about ssh access from different hosts.
I hope its help you.
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- 1,685 Views
Hi @shura, can you give some examples of "host restriction" with this "Host_List" function? Because besides the ALL value, I don't know what value to put in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- 1,682 Views
Hi. Something like this:
Host_Alias RHOST = rhost1.company.nl, 192.168.0.13
Cmnd_Alias PMAP = /usr/sbin/postmap
Ruser RHOST=(ALL) PMAP
Best regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- 1,680 Views
The IP address mentioned in the Host_Alias line is the IP of the current machine. I am very sure about this because I have seen this example already. So what is the difference between leaving ALL versus host_name/ip? Do you mean it implements whitelist functionality? @@
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- 1,674 Views
Hi
Think, please, about networked root fs and different behavor of sudoer's at different systems
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- 1,683 Views
I mean if it can't be adjusted then why does it exist in the config file instead of hiding it altogether?