0

When i have install ubuntu at that time create admin user, Now my plan is to remove sudo access from this user and added custom sudofile for this user.

First I remove sudo group from this user:

$ sudo cat /etc/group | grep admin
admin:x:1000:

$ sudo cat /etc/group | grep sudo
sudo:x:27:

Even there is no entry on sudofile :

$ sudo cat /etc/sudoers | grep -v "#"
root    ALL=(ALL:ALL) ALL

My custom sudo file :

$ sudo cat /etc/sudoers.d/custom | grep -v "#"
Host_Alias HOSTNAME = myhost

Cmnd_Alias ARCH = /bin/tar, /bin/gzip, /bin/gunzip
...
...
root ALL = (ALL) ALL
admin HOSTNAME = NOPASSWD: ARCH,...,...

Interesting thing is that to prevent service which not define on customsudo file.

$ sudo /etc/init.d/virtualbox status
[sudo] password for admin: 
Sorry, user admin is not allowed to execute '/etc/init.d/virtualbox   status' as root on myhost.

Issue is that, still able to edit /etc folder and created another test user which working fine means who can't edit /etc and other operations !

My goal is to privent to edit /etc directory but able to access /var/log/ and other general directory and operation, here we can define service to allow but Can we define the directory and any other way ?

Nullpointer
  • 1,151
  • 3
  • 15
  • 32
  • Why don't add that [ configuration ] to the already existing sudo file ? – George Udosen May 09 '17 at 07:42
  • @George Can you please elaborate more? – Nullpointer May 09 '17 at 08:24
  • This looks like a rehash of [your previous question](/q/906868/175814). If you want to create a user account that can start and stop services and read log files without full super-user privileges, *please do precisely that*. Don't create completely new sudoers rules from scratch if all you want to do is *grant or revoke user privileges*. See [How do I run specific sudo commands without a password?](/q/159007/175814) – David Foerster May 10 '17 at 13:13

0 Answers0