有没有办法限制以下命令sudo -i
或文件sudo -s
中的内容sudoers
?
当我添加!/usr/bin/sudo -i
或 时!/usr/bin/sudo -s
,sudo
仍然允许用户运行该命令。
答案1
我知道这不是一个好的答案,因为我不能直接回答你的问题,但是有man sudoers
一个部分叫做防止 Shell 逃逸我认为你可能会感兴趣:
一旦 sudo 执行了某个程序,该程序就可以自由地做任何它想做的事情,包括运行其他程序。这可能是一个安全问题,因为程序允许 shell 逃逸并不罕见,这让用户可以绕过 sudo 的访问控制和日志记录。允许 shell 逃逸的常见程序包括 shell(显然)、编辑器、分页器、邮件和终端程序。
解决这个问题有两种基本方法:
restrict Avoid giving users access to commands that allow the user to run arbitrary commands. Many editors have a restricted mode where shell escapes are disabled, though sudoedit is a better solution to running editors via sudo. Due to the large number of programs that offer shell escapes, restricting users to the set of programs that do not is often unworkable. noexec Many systems that support shared libraries have the ability to override default library functions by pointing an environment variable (usually LD_PRELOAD) to an alternate shared library. On such systems, sudo's noexec functionality can be used to prevent a program run by sudo from executing any other programs. Note, however, that this applies only to native dynamically-linked executables. Statically-linked executables and foreign executables running under binary emulation are not affected.
答案2
sudoers 中的黑名单几乎肯定是浪费时间。解决方法实在太多了。
要实施任何类型的限制,白名单是唯一可行的方法。即便如此,也要小心白名单中包含的任何命令的权限(需要定期审核)、可能允许 shell 转义的任何命令以及可以写入新/现有文件的任何命令。
例如,这些都是不好的想法:
- 允许 sudo 访问执行用户拥有的脚本
- 给予 sudo 访问“less”的权限
- 授予 sudo 访问“cp”的权限