Score:0

/etc files security/hardening (sudo)

hm flag

On Ubuntu 22.04, is that possible to deny ALL /etc files modifications and grant ONLY specific file(s) running as sudo? ex:

sudo text-mode-editor-filtered-path /etc/hostname

If /etc/hostname absolute path is into /etc/text-mode-editor-filtered-path.conf, the command above works with root read/write permission(s).

It is like visudo (sudo visudo). But visudo is only permitted to read/write /etc/sudoers. My idea is to hardening /etc files.

On /etc/sudoers we could have this:

myuser ALL=(ALL:ALL) /usr/bin/visudo,/usr/bin/text-mode-editor-filtered-path,/usr/bin/anyother-non-text-editor

So only visudo can edit /etc/sudoers and only text-mode-editor-filtered-path can edit it's .conf containing /etc file(s) absolute path.

Any idea?

muru avatar
us flag
Blacklist/whitelist ideas like these don't work well in practice, because often there's no way for you to stop someone from starting the editor with some permitted file, and then using the editor's functionality for opening files to access some disallowed file. Also you can edit whatever file you want with `visudo` using `visudo -f /path/to/file`.
muru avatar
us flag
Does this answer your question? [How can I allow a user to edit a specific system file normally restricted to root?](https://askubuntu.com/questions/505050/how-can-i-allow-a-user-to-edit-a-specific-system-file-normally-restricted-to-roo)
Luiz Carlos avatar
hm flag
@muru The "issue" with visudo -f is that sudo_user or member of group_sudo can chance/edit any file into /etc. ACL is more permissive than visudo, so less safe. But we could combine visudo with ACL. Not blacklisting root_user, but allow sudo_user(s) make modifications to specific system file (into etc directory) normally restricted to root. Like we can restrict binaries that can ran with root privileges via sudo command (/etc/sudoers)
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.