SUDO !-rules

Checked one insecure approach to use sudo not to allow commands, but to prohibit commands for user with the NOT-operator “!”. Why it’s a bad idea we can see in the sudoers man page:

” Limitations of the ‘!’ operator

It is generally not effective to “subtract” commands from ALL using the ‘!’ operator. A user can trivially circumvent this by copying the  desired command to a different name and then executing that. For example:

bill ALL = ALL, !SU, !SHELLS

Doesn’t really prevent bill from running the commands listed in SU or SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy).”

RHEL 5,6 – works
RHEL 7 – does not work, which is good. Still, wanted by some customers.







Leave a Reply

Your email address will not be published. Required fields are marked *