Ubuntu – Block a command from sudo user

rootsudo

I don't need an administrator to change my root password. I don't want any sudo user to execute this command:

sudo passwd $root

I have tried it in the sudoers file using the following command:

%sudo ALL=(ALL) ALL, !/usr/bin/passwd $root

How can I block it?

Best Answer

According to sudoers manual:

   It is generally not effective to "subtract" commands from ALL using the
   ’!’ operator.  A user can trivially circumvent this by copying the
   desired command to a different name and then executing that.  For
   example:

       bill        ALL = ALL, !SU, !SHELLS

   Doesn’t really prevent bill from running the commands listed in SU or
   SHELLS since he can simply copy those commands to a different name, or
   use a shell escape from an editor or other program.  Therefore, these
   kind of restrictions should be considered advisory at best (and
   reinforced by policy).

This is why your sudoers policy doesn't work.

If you would like to prevent user to gain root permission and change its password, try this procedure:

Assuming your sudoers contains this directive:

 root    ALL=(ALL:ALL) ALL
 %sudo   ALL=(ALL:ALL) ALL

Assuming your user name is foo, his groups are foo and sudo. groups command output is:
```
foo sudo
```
Remove user foo from sudo group: gpasswd -d foo sudo after this, user foo can not run any command with sudo.
Edit sudoers file. Use this command:
```
sudo visudo -f /etc/sudoers.d/foo
```
Define user foo permission, for example:
```
foo ALL=/usr/bin, !/usr/bin/passwd, !/usr/bin/su
```
This means that user foo may run any commands in the directory /usr/bin/ except passwd and su command. Note: If the user foo wants to change his password, can run passwd command without sudo.
Another example of user foo permission:
```
foo ALL =/usr/bin, /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
```
This means that user foo may run any commands in the directory /usr/bin/ and is allowed to change anyone’s password except for root on ALL machines.

You can define groups of command by define Cmnd_Aliases and create "levels of permissions". You can found useful examples in EXAMPLE section of sudoers manual, and here is a useful link about how to use sudoers.

Related Solutions

Ubuntu – How to use sudo from a standard user

Use pkexec instead. If the current user doesn't have privileges, or if there are multiple users who can authorize an action, it will prompt you to select the user:

$ pkexec true              
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/true' as the super user
Multiple identities can be used for authentication:
 1.  muru
 2.  sysad, (sysad)
Choose identity to authenticate as (1-2): 1
Password:

pkexec, of course, does not follow the sudo configuration, but its own. However, if you added admin users by adding them to the sudo group, they will also be granted Polkit admin rights by Ubuntu's default configuration.

Ubuntu – Sudo requires password after adding user to sudoers

You should use NOPASSWD option

aman ALL=(ALL) NOPASSWD:ALL

However, I would not recommend it that way, because user aman can execute anything without password. I would only allow the systemctl command to be executed without password like this:

aman     ALL=NOPASSWD:/bin/systemctl

It is safer that way.

Best Answer

Related Solutions

Ubuntu – How to use sudo from a standard user

Ubuntu – Sudo requires password after adding user to sudoers

Related Question