I want to restrict certain commands to certain users that are sudoers, for example:

john ALL=ALL,!/usr/bin/apt-get #john won’t be able to run apt-get

My question comes when john can use cp, mv or ln to copy and change the name of the binary, for example:

john home$ sudo ln -s /usr/bin/apt-get myaptget

This renders my sudoers file configuration useless.

Any suggestions, plugin/app to restrict and differentiate sudoers/permissions?

Imagine I have 2 administrators on my system, but I’d like that one of them to have more control than the other…

Thank you very much for your answers,
best regards!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi @L0rdSergio,

I’m not sure you’ll be able to execute the myaptget command even if you’ve created the symlink. Have you tried it, does it work?

As for the 2 administrators, you’ll just need to create two different groups which are sudoers or just have some different level of access in terms of commands and assign the administrators to whichever group you need them to be.

I’ll recommend giving the following tutorial a read, I think it will be useful:

https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file

by Justin Ellingwood
by Brian Boucheron
The sudo command is useful for executing commands with privileges usually outside of the scope of your user. This guide will discuss how to edit the configuration file in order to customize the way sudo functions.
  • Hi there!

    Yes, the another sudoer can create the symlink and use the command, even though it’s restricted in the sudoers file!

    I tested it and works perfectly :(

    So, if the another sudo user can access to the binary the restrictions of the sudoers file are useless?

    Thanks!

    • Hi @L0rdSergio,

      In that case, maybe you can restrict the symlink command ln so that no sudoer can use it?

      Having said that, yes, in that sense it does seem useless unless the ln command is restricted I guess.