restrict using sudo from the host

Support for security such as Firewalls and securing linux
Post Reply
bibl2008
Posts: 4
Joined: 2014/03/07 10:12:51

restrict using sudo from the host

Post by bibl2008 » 2017/10/20 08:26:32

Hello,
Please help how I can restrict using sudo only from one host. For example I try next:

Code: Select all

# User privilege specification
ruser rhost1,rhost2=/usr/sbin/postmap, /usr/bin/chcon, /usr/bin/rm
I try to restrict using sudo on the Server for the user "ruser" only for remote hosts "rhost1" ," rhost2". I mean that if the user "ruser" connect to the Server and try to run "sudo /usr/sbin/postmap" it will be block.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: restrict using sudo from the host

Post by TrevorH » 2017/10/20 08:48:56

Something like this

Code: Select all

Host_Alias MAIL = rhost1.company.com, rhost2.company.com

Cmnd_Alias PMAP = /usr/sbin/postmap

ruser MAIL=(ALL) PMAP
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

bibl2008
Posts: 4
Joined: 2014/03/07 10:12:51

Re: restrict using sudo from the host

Post by bibl2008 » 2017/10/20 08:54:08

TrevorH wrote:Something like this

Code: Select all

Host_Alias MAIL = rhost1.company.com, rhost2.company.com

Cmnd_Alias PMAP = /usr/sbin/postmap

ruser MAIL=(ALL) PMAP
Thanks, but (ALL) in this config for what? What is it mean?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: restrict using sudo from the host

Post by TrevorH » 2017/10/20 09:14:20

Read man sudoers and look at the various examples they give.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

bibl2008
Posts: 4
Joined: 2014/03/07 10:12:51

Re: restrict using sudo from the host

Post by bibl2008 » 2017/10/20 10:42:12

With this config:
Host_Alias RHOST = rhost1.company.nl, 192.168.0.13
Cmnd_Alias PMAP = /usr/sbin/postmap
Ruser RHOST=(ALL) PMAP

I have next error:
Oct 20 12:46:02 Server sshd[45416]: Accepted password for Ruser from 192.168.0.13 port 41748 ssh2
Oct 20 12:46:02 Server sshd[45416]: pam_unix(sshd:session): session opened for user Ruser by (uid=0)
Oct 20 12:46:08 Server sudo: pam_sss(sudo:auth): authentication success; logname=Ruser uid=2005 euid=0 tty=/dev/pts/1 ruser=Ruser rhost= user=Ruser
Oct 20 12:46:08 Server sudo: Ruser : user NOT authorized on host ; TTY=pts/1 ; PWD=/home/Ruser ; USER=root ; COMMAND=/usr/sbin/postmap
Oct 20 12:46:08 Server sshd[45512]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhost1.company.nl user=Ruser
Oct 20 12:46:08 Server sshd[45512]: pam_sss(sshd:auth): received for user Ruser: 7 (Authentication failure)
Oct 20 12:46:08 Server sshd[45510]: error: PAM: Authentication failure for Ruser from rhost1.company.nl

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: restrict using sudo from the host

Post by TrevorH » 2017/10/20 10:58:19

You appear to be ssh'ing FROM rhost1 (192.168.0.13) to another system. That other system is where you're running sudo and is the one that needs to be in sudoers.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

bibl2008
Posts: 4
Joined: 2014/03/07 10:12:51

Re: restrict using sudo from the host

Post by bibl2008 » 2017/10/20 12:48:39

But I need restrict sudo from one remote host to a lot of hosts and allow use sudo only from one remote hosts. Is it impossible?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: restrict using sudo from the host

Post by TrevorH » 2017/10/20 13:45:03

That's not how it works. The places where you can specify the host in sudoers are so that you can use the same sudoers files across multiple hosts and give different access to different things depending on which host the commands are run. I do not think that sudo knows anything about ssh access from different hosts.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply