Re: Sudo

[Pradeep Kumar Sadanapalli <spradeep@ceeby.com>]

Thanks subhash for guiding me in the right direction and thank you all for all your responses . This is what I did.

In the sudoers file,I added this

"
#To restrict the user in installing any rpm starting with abc

Cmnd_Alias NOACCESS = /bin/rpm *abc*
user1 host-name=NOACCESS

"
Now the user 'user1' will not be able to install/uninstall/query any rpm package that has abc in it. 

But the problem is , say user1 wants to install abc.rpm and as he is restricted , he/she cannot install. But there is one way. If the user changes the name of the rpm, say "cp abc.rpm xyz.rpm" and then user1 can easily install xyz.rpm . And if you login as root and query for the package abc.rpm, it says abc.rpm is installed , even though the user has installed it with a different name. 

How to get rid of this? Is it possible to detect which rpm package is going t o be installed , even if it's name is changed, by somehow looking into internal packages or something like that. Please help me with this. I hope I made my point clear. Thanks a lot in advance....


--- "Subhash Bhushan" <subhash_bhushan@hotmail.com> wrote:
>>From: Pradeep Kumar Sadanapalli <spradeep@ceeby.com>
>>Reply-To: spradeep@ceeby.com
>>To: linux-admin@vger.kernel.org
>>Subject: Sudo
>>Date: Tue, 17 Jun 2003 20:16:59 -0700 (PDT)
>>
>>Hi,
>>I have given sudo rights to a user for the command "rpm" . but within rpm, 
>>I want to keep some restrictions. For example, the user should not be able 
>>to run "rpm" to install a package I wish, say "abc.rpm" .
>>
>>That means  "sudo rpm -ivh any.rpm" should work except "sudo rpm -ivh 
>>abc.rpm"
>>
>>Is it possible? If so, please help me out how to do this. I hope I am clear 
>>with what I intend to do .
>>
>>Thanks in advance....
>>
>
>
>Specify a command alias with the specific rpm command that you want to deny.
>Specify a user alias for all the users you want to prevent from running this 
>command.
>In the user previlege specification, negate the permission for the running 
>the command for those users.
>
>The trick is to specify the complete command in the command alias. Be 
>careful not to allow any combinations of rpm command to be able to run with 
>that specific rpm.
>
>Subhash Bhushan.
>
>
>
>_____________________________________________________________
>>Search - Browse - Communicate
>>http://www.ceeby.com
>>Best Meta Search Engine on the Web.
>>
>>_____________________________________________________________
>>Select your own custom email address for FREE! Get you@yourchoice.com, No 
>>Ads, 6MB, IMAP, POP, SMTP & more! 
>>http://www.everyone.net/selectmail?campaign=tag
>>-
>>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>>the body of a message to majordomo@vger.kernel.org
>>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>_________________________________________________________________
>Bollywood's back! Will June keep up the tempo? 
>http://server1.msn.co.in/features/junemovies03/index.asp

_____________________________________________________________
Search - Browse - Communicate
http://www.ceeby.com
Best Meta Search Engine on the Web.

_____________________________________________________________
Select your own custom email address for FREE! Get you@yourchoice.com, No Ads, 6MB, IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag