1

We have an Ubuntu 14.04 machine in our lab and my plan is to restrict changing anything in the /etc directory by users with sudo privilege so that only the root user can edit the configuration files.

Is there any software to apply this type of policy like there is in Windows server?

Zanna
  • 70,465
Nullpointer
  • 1,161
  • 3
  • 15
  • 32
  • 7
    why would you give a sudo privilege to users you can't trust editing configuration files? – Yaron Apr 20 '17 at 06:03
  • I give to all privilege except /etc directory. – Nullpointer Apr 20 '17 at 06:09
  • 2
    why would you do that? – Yaron Apr 20 '17 at 06:11
  • User are change the resolve.conf, apache conf etc. files, result may going wrong. – Nullpointer Apr 20 '17 at 06:16
  • 2
    why do you want to give those users sudo privilege? – Yaron Apr 20 '17 at 06:17
  • 4
    Anyone with sudo privileges can change to root in terminal (sudo -i or sudo su root). Hence, anyone with sudo privileges will still have access to /etc. The exercise seems pointless. – b_laoshi Apr 20 '17 at 06:21
  • Ok, Here my plan is to user can kill the process, restart all services, mount, change permission and owner, ifdown/up, vagrant etc. – Nullpointer Apr 20 '17 at 06:34
  • 1
    See the link in the answer. What you want can be done that way but you need to make a command for anything you want them to be able to do. – Rinzwind Apr 20 '17 at 06:35
  • 4
    Of course, if you give a user mount permissions, they can just mount a small filesystem over /etc. If you're going to roll your own security model, it becomes your responsibility to make it consistent and coherent, and that's not easy. – MSalters Apr 20 '17 at 10:22
  • This sounds like an XY Problem. What are you actually trying to achieve? – David Foerster Apr 22 '17 at 10:26
  • 1
    It sounds like you actually want to create a user group that has the privileges to run and manage specific services, manage specific network interfaces and mount to mountpoints that are white-listed or that they own. Unrestricted mount privileges can be escalated trivially to generic super-user privileges as can unrestricted ownership and access permission changes. You'll want to think about the latter a little more. – David Foerster Apr 22 '17 at 10:30

2 Answers2

10

No, there is no software for that. And if there was a "sudo" user would be able to revert what that software changed for a user not being able to change anything in /etc.

If you do not trust your users do not make them a "sudo" user and create regular users for them.

Ok, Here my plan is to user can kill the process, restart all services, mount, change permission and owner, ifdown/up, vagrant etc.

But that has nothing to do with being able to not change /etc: you can have a regular user with elevated power so (s)he can use specific commands that require "sudo" without being admin on that machine. Example of this: Giving limited Sudo privilege to a user Setting it up like this means they can not change anything in /etc unless you create a command where they can. But if you believe it is a good idea to have a user be able to do anything except changing files in /etc it is going to be a very long list.

Be careful though: it is easy to add conflicting commands. See the comment from msalters for instance.

Rinzwind
  • 299,756
  • For example, if you have "change permission and owner" then you have the ability to run anything as root (and thus do anything you want). – OrangeDog Apr 20 '17 at 13:14
  • Never mind being able to edit a specific configuration file. Most editors (particularly those that are designed to run in a terminal) have facilities to shell out, either to a shell or to execute an arbitrary command from within the editor, so by allowing a user to edit a specific file, you may be enabling them to execute arbitrary shell commands as the user that owns that file. – user Apr 20 '17 at 13:32
0

or you could try to chattr +Rais /etc it will however deny any changes to /etc folder by anyone too, and must instruct whoever updates / configures stuff on the system to chattr -Rais the folder before doing so. However this is not really a solution, one can revert the changes if he knows, how. If you don't trust the users, i would advice installing "rootsh" - it's an app that logs EVERYTHING a user does, including his output.

dubsauce
  • 31
  • 1
    "i would advice installing "rootsh" - it's an app that logs EVERYTHING a user does, including his output" and that will take someone with root access how long exactly to bypass? Counting down... three... two... one... – user Apr 20 '17 at 13:33