[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is there a way to effectively jail a sudo-er not to breach system lo
|
From: |
Greg Wooledge |
|
Subject: |
Re: Is there a way to effectively jail a sudo-er not to breach system logging? |
|
Date: |
Mon, 13 Sep 2021 11:35:54 -0400 |
On Mon, Sep 13, 2021 at 02:51:32PM +0000, conan zhan wrote:
> Therefore, it is very delicate management not to grant server maintainers
> sudo/wheel privilege since both of them are equivalent to root, and it is a
> very
> tiring job to think of a whitelist strategy on what they CAN do rather than
> what
> they CANNOT do.
This is all well outside the scope of help-bash, which only covers the
shell and the common tools used in scripting. Securing an operating
system installation against whatever threat model you envision is more
appropriate for an operating system's mailing list. Or perhaps a focused
security-oriented mailing list.
> So is there a way to ban a sudo-er from the following actions:
You can read "man sudoers" and try to figure out what's possible. Good
luck. I personally find the sudoers syntax incredibly cryptic and
over-engineered, but maybe it'll be suitable for what you want. Maybe not.
Keep in mind that once a program has been launched with whatever
privileges, it does whatever it does. You can't really prevent it from
doing what it wants, within the privileges that it was born with. You
have to take away its privileges up front. I don't really know whether
sudo offers the kind of fine-grained control you want. Maybe you can
look into things like AppArmor, SE-Linux and so on.
Again. this stuff isn't on topic for help-bash.