Support for security such as Firewalls and securing linux
-
TrevorH
- Site Admin
- Posts: 33219
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2020/08/16 13:49:18
You told it the user is not allowed to run /bin/su but you neglected all the other 10001 ways of getting root. For example, I can sudo /bin/bash and now I have a root command prompt, or sudo visudo and amend the file directly. And that's without using anything like sudo less /var/log/messages then using `:!visudo` from within that to execute commands as root.
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/08/16 20:36:16
TrevorH wrote: ↑2020/08/16 13:49:18
You told it the user is not allowed to run /bin/su but you neglected all the other 10001 ways of getting root. For example, I can sudo /bin/bash and now I have a root command prompt, or sudo visudo and amend the file directly. And that's without using anything like sudo less /var/log/messages then using `:!visudo` from within that to execute commands as root.
How can I solve it? I'm thankful if you show me the wrong part.
-
TrevorH
- Site Admin
- Posts: 33219
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2020/08/16 21:53:19
There is no solution to doing things the way you tried. You cannot "allow everything and deny specific things" unless you spend the next few years itemising all the things on your system that could be used to escalate or break out of root. To use sudo safely you must allow just the things you allow this user to do and forbid everything else. Or let them do everything.
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/08/17 05:36:59
TrevorH wrote: ↑2020/08/16 21:53:19
There is no solution to doing things the way you tried. You cannot "allow everything and deny specific things" unless you spend the next few years itemising all the things on your system that could be used to escalate or break out of root. To use sudo safely you must allow just the things you allow this user to do and forbid everything else. Or let them do everything.
I want to give a the username and password to a remote user. this user wants to install and configure server but I don't like change the root password
-
jlehtone
- Posts: 4530
- Joined: 2007/12/11 08:17:33
- Location: Finland
Post
by jlehtone » 2020/08/17 07:11:54
hack3rcon wrote: ↑2020/08/17 05:36:59
this user wants to install and configure server
What does "install a server" mean?
If it does mean administration of whole CentOS, then it is user's system.
If it does mean a web page, then user does not need any admin privileges.
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/08/19 12:24:07
Thus, there is no way to let a user installing applications but can't see other parts of the system?
-
poky
- Posts: 108
- Joined: 2013/03/27 12:18:03
Post
by poky » 2020/09/05 16:37:25
You can make KVM virtual OS and get root password for this virtual OS.
