DNAtsol_student
Mission Specialist
Mission Specialist
  • 348 Views

just how specific can you make a sudoer's permissions?

Jump to solution

Hey all,

I've added myself to a custom sudoer file so I do not need to enter the sudo password for a specific command. But, I'm wondering if it is possible to limit that even further and limit the nopasswd requirement to that command and and specific arguments I've made to the mount command. 

For example, in the custom sudoer file I added the NOPASSWD element and reference the

/usr/bin/mount command in the file but would like to have it refer to a specific NFS share and still require it for others.

Essentially, I'm looking to create a cronjob and mount this share only when I want to perform a backup for a specific machine.

thoughts? suggestions? pointers? All welcome

Thanks

1 Solution

Accepted Solutions
m8ram
Mission Specialist
Mission Specialist
  • 286 Views

You can do this, you can even use wildcards: https://www.sudo.ws/docs/man/1.8.17/sudoers.man/#Wildcards

The example in the official docs:

%operator ALL = /bin/cat /var/log/messages*

You can also prevent the user from passing *any* arguments yo a command by specifying the empty string `""` after the command.

And you can go even further and allow some arguments and then explictly deny some.

Again from the official documentation (https://www.sudo.ws/docs/man/1.8.17/sudoers.man/#EXAMPLES) :

pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

 

This allows fine grained access and is certainly necessary in certain environments.

In your case adding the path to be mounted to the /usr/bin.mount command will achieve what you are looking for.

Keep in mind that you know about various ways to elevate/escape certain restrictions.

E.g. if you grant anyone permission to run `vim` as root they can use vim's shell interface to open a shell as root. Many tools have such features.
https://www.sudo.ws/docs/man/1.8.17/sudoers.man/#Preventing_shell_escapes describes some ways to protect but be mindful of the last paragraph about the inherit risks.

View solution in original post

3 Replies
morbius
Flight Engineer
Flight Engineer
  • 312 Views

No, you cannot specify attributes of the command in sudoers, you can just allow that user to execute /usr/bin/mount file.

There is rarely need to be that paranoid that you should limit the user what exactly he should be able to mount. You could play with permissions and ownership of the mountpoints, but I wouldn't bother. You could make a backup script or playbook with exact steps you want and then have cron execute that.

m8ram
Mission Specialist
Mission Specialist
  • 287 Views

You can do this, you can even use wildcards: https://www.sudo.ws/docs/man/1.8.17/sudoers.man/#Wildcards

The example in the official docs:

%operator ALL = /bin/cat /var/log/messages*

You can also prevent the user from passing *any* arguments yo a command by specifying the empty string `""` after the command.

And you can go even further and allow some arguments and then explictly deny some.

Again from the official documentation (https://www.sudo.ws/docs/man/1.8.17/sudoers.man/#EXAMPLES) :

pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

 

This allows fine grained access and is certainly necessary in certain environments.

In your case adding the path to be mounted to the /usr/bin.mount command will achieve what you are looking for.

Keep in mind that you know about various ways to elevate/escape certain restrictions.

E.g. if you grant anyone permission to run `vim` as root they can use vim's shell interface to open a shell as root. Many tools have such features.
https://www.sudo.ws/docs/man/1.8.17/sudoers.man/#Preventing_shell_escapes describes some ways to protect but be mindful of the last paragraph about the inherit risks.

DNAtsol_student
Mission Specialist
Mission Specialist
  • 231 Views

Thanks very much for this.

I was able to figure it out based on the references and suggestions you made.

I could successfully get /bin/mount to not require a password but when I got more specific (/bin/mount -t nfs my.local.ip.address:share/path /local/mount/point) Ikept getting syntax errors

I ended up backing off the specificity and just included the ip address of the nfs share with a wildcard * (/usr/bin/mount -t nfs my.local.ip.address*). This accomplished my goal.

cronjob... here I come

 

Appreciate the help!

 

 

 

0 Kudos
Join the discussion
You must log in to join this conversation.