Monday, 11 June 2012

Restricting root shell and root user access through sudo

One of the issues I’ve encountered a number of times in assessments of Linux and AIX environments is the provision of excessive permissions using sudo. This article is an attempt to highlight those issues and provide some guidance as to practical resolution.

It is typical in a secured Windows environment that the administrator username is not used for standard business and that those users who require elevated privileges are members of the “Domain Admins” Organisation Unit.  The generic windows administrator account would be renamed, given a randomised long and complex password which would then be physically secured and access restricted.  In Windows, audit trails can be maintained against each user and users do not execute commands as other users.  This is somewhat different in a Linux environment.

In Linux, it has become more standard to use sudo to substitute user and do commands. Sudo in its default implementation is generally in place as (example from CentOS)

wheel ALL = (ALL) ALL

In Red Hat and CentOS, the members of the wheel group are provided full sudo privileges. In Ubuntu or Debian this would be the members of the sudoers group or the admin group.

The above means that a user who is a member of the wheel group can execute ALL commands as ALL users from ALL terminals. In other words, a member of the wheel group can masquerade as other users or can drop to a root shell and no longer have a full audit trail against him.

Users often drop to a root shell to avoid typing sudo before any command. Dropping to a root shell is usually done doing su -, sudo –i, sudo –s, sudo bash etc. In order to prevent sudoers from dropping to a root shell, the shell commands can be removed from the executable files available to the users. This can be done by editing the sudoers file as follows:

Cmnd_Alias SHELLS
SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, /usr/local/bin/tcsh, usr/bin/rsh, /usr/local/bin/zsh

Cmnd_Alias SU
SU = /usr/bin/su
wheel ALL = ALL, !SHELLS, !SU

In the above members of the wheel group can execute all commands on all systems except those commands listed in SHELLS and SU. Sometimes it is necessary for users to drop to a shell when performing administrative functions. Using the above, you could have a configuration with 1 or 2 users permitted to have root abilities with other domain admins having the above.

admin ALL = (ALL) ALL
wheel ALL = ALL, !SHELLS, !SU

Limit access to the admin group in the same way you might limit access to the administrator account in Windows.


  1. The problem here that user can perform cp /bin/bash /opt/myprog && sudo /opt/myprog and to get root shell in any case...

    1. You could make the shells immutable with `chattr +i`. I would suggest also making the /usr/bin/sudo binary and /etc/sudoers files immutable. I am still finding additional weaknesses in this, but it's an improvement...

      Other things to consider would be whether the users have the ability to bring in a shell from external and run executables in user writable directories.

    2. "You could make the shells immutable with `chattr +i". we can do this but since USER has all access what if the user does "chattr -i" for the shell and sudoers file????

  2. The syntax of

    Cmnd_Alias SU
    SU = /usr/bin/su

    appears to be wrong.

    Cmnd_Alias SU = /usr/bin/su

  3. How to restrit "sudo su" but i need to switch as normal users. Main aim is to restrict root through any means.

    Thanks in advance