Negate "rpm" for restricted sudo access

oscar · March 29, 2022, 10:33pm

Hey folks,

I’ve got a requirement to give sudo access for a user just to install a some specific “rpm’s” and negate anything else like he can’t install any other package or can’t add spaces etc (this is to do via yum & zypper)

for e.g if pkg name is “my_package.abc.rpm & my_package.def.rpm” will below sudo good enough? suggestions please…thanku!!!

my_user ALL=NOPASSWD: /bin/rpm -* my_package.*

Akito · March 30, 2022, 12:40am

What is your actual problem?

oscar · March 30, 2022, 3:50am

sorry if there some confusion… basically the above sudoers works which I tested too, but I’m thinking of any possibilities where the user can do more than what is intended to.

example for “cat” command were I already have this negation and it works. so here the user can only cat to files in /abc/def/* and rest all is denied. its kind of explicitly defining I guess. I’m looking something similar for “rpm.”

cmd alias bau_cmds = /usr/bin/cat /abc/def/*
cmd alias neg_cat = !/bin/cat /* , !/bin/cat * / *,

User Hosts RunAs Tags:Command

user host = (RUNAS) NOPASSWD:bau_cmds, neg_cat

please let me know if things are still unclear, thanks for you patience.

Akito · March 30, 2022, 11:30am

I tried to get at the question, of what you are trying to solve, just as explained in the link I provided in my first post.

Could you please explain, what you are actually trying to solve? Why do you need these restrictions? Why do you need such a user? What is the point of doing this?

We first need to understand the cause of your issue, before attempting a solution. Maybe there is a better solution out there?

oscar1 · March 30, 2022, 10:46pm

as I mentioned earlier its a requirement at my working place. the user is a monitoring app team member. they got sudo access to all system to manage there app and now they require access to install some additional rpm pkgs.

So here I’m trying to give them access just to install those pkgs but at the same time proactively make sure that they don’t do anything else.

nevj · March 30, 2022, 10:53pm

@oscar
This might be the answer

https://superuser.com/questions/767415/limit-user-to-execute-selective-commands-linux

Neville

oscar1 · March 30, 2022, 11:03pm

well I don’t get a solution, but yes some good info where I can do some more research and figure out my way… thanks Neville

nevj · March 30, 2022, 11:27pm

Use google for something like restrict sudo commands
You will bring up all sorts of useful links
Neville

Akito · March 31, 2022, 1:33pm

What does that mean?

Anyway, this is one simple way to do it:

https://www.atrixnet.com/allow-an-unprivileged-user-to-run-a-certain-command-with-sudo/

However, I would recommend looking at other solution ideas, rather than staying with your initial idea forever, without thinking about a better one.

For example, if the packages are always the same, why not pre-install them?
Or, if you really want the “restricted sudo access” permission, then you can allow the user to run a certain script, which allows them to only install packages.
However, that’s not a good solution. It’s not only cumbersome and hacky, it’s also insecure.