/etc files security/hardening (sudo)

Luiz Carlos

3/30/24, 4:34 AM

On Ubuntu 22.04, is that possible to deny ALL /etc files modifications and grant ONLY specific file(s) running as sudo? ex:

sudo text-mode-editor-filtered-path /etc/hostname

If /etc/hostname absolute path is into /etc/text-mode-editor-filtered-path.conf, the command above works with root read/write permission(s).

It is like visudo (sudo visudo). But visudo is only permitted to read/write /etc/sudoers. My idea is to hardening /etc files.

On /etc/sudoers we could have this:

myuser ALL=(ALL:ALL) /usr/bin/visudo,/usr/bin/text-mode-editor-filtered-path,/usr/bin/anyother-non-text-editor

So only visudo can edit /etc/sudoers and only text-mode-editor-filtered-path can edit it's .conf containing /etc file(s) absolute path.

Any idea?

0 + 3

permissions

etc

muru

3/30/24, 4:40 AM

Blacklist/whitelist ideas like these don't work well in practice, because often there's no way for you to stop someone from starting the editor with some permitted file, and then using the editor's functionality for opening files to access some disallowed file. Also you can edit whatever file you want with `visudo` using `visudo -f /path/to/file`.

muru

3/30/24, 4:42 AM

Does this answer your question? [How can I allow a user to edit a specific system file normally restricted to root?](https://askubuntu.com/questions/505050/how-can-i-allow-a-user-to-edit-a-specific-system-file-normally-restricted-to-roo)

Luiz Carlos

3/30/24, 7:13 AM

@muru The "issue" with visudo -f is that sudo_user or member of group_sudo can chance/edit any file into /etc. ACL is more permissive than visudo, so less safe. But we could combine visudo with ACL. Not blacklisting root_user, but allow sudo_user(s) make modifications to specific system file (into etc directory) normally restricted to root. Like we can restrict binaries that can ran with root privileges via sudo command (/etc/sudoers)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: /etc files security/hardening (sudo)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.