我正在尝试剥夺用户 Rick 的重新启动权限。我已经尝试过!和NOEXEC。还有其他方法可以做到这一点吗?
Rick ALL = (ALL) !/sbin/reboot
Rick ALL = NOEXEC: /sbin/reboot
答案1
你不能。实际上不可能创建“负 sudo”来为用户分配运行除某些命令之外的任何命令的权限。这是因为用户可以轻松绕过这些限制,例如
- 通过将被拒绝的命令插入 shell 脚本并运行它
- 通过将拒绝的命令复制到不同的名称
- 通过运行类似的命令(在您的情况下
init 6,telinit 6、shutdown -r now和systemctl isolate reboot.target都将执行重新启动并且不会拒绝命令) - 通过运行被拒绝的命令
exec - 通过从文本编辑器或其他程序中转义 shell
- 或者简单地通过切换到 root 用户
su
联机帮助页中也提到了这一点sudoers:
SECURITY NOTES
Limitations of the ‘!’ operator
It is generally not effective to “subtract” commands from ALL
using the ‘!’ operator. A user can trivially circumvent this by copy-
ing the desired command to a different name and then executing that.
For example:
bill ALL = ALL, !SU, !SHELLS
Doesn’t really prevent bill from running the commands listed in SU
or SHELLS since he can simply copy those commands to a different
name, or use a shell escape from an editor or other program.
Therefore, these kind of restrictions should be considered advisory at
best (and reinforced by policy).
In general, if a user has sudo ALL there is nothing to prevent
them from creating their own program that gives them a root shell (or
making their own copy of a shell) regardless of any ‘!’ elements
in the user specification.
相反,您应该确定用户所需的一组受限命令,并仅授予对这些命令的访问权限。
NOEXEC只是禁用 shell 转义,并不能防止所有其他规避方法。