Results 1 to 5 of 5

Thread: Restricting a Sudoer from Mounting (or from writing to a partition)

Hybrid View

  1. #1
    Join Date
    Sep 2007
    Beans
    20
    Distro
    Ubuntu 10.04 Lucid Lynx

    Unhappy Restricting a Sudoer from Mounting (or from writing to a partition)

    Scenario being explored: We have a lab of computers wherein students need to use linux (CS students). Currently, they just start up a VM whenever needed -- this is slow and we're exploring just having a linux partition they can boot into when needed (preferred by everyone involved).

    Question: We want students to have the ability to install programs and administer the system freely (this partition will be similar to a liveCD in that changes will not be saved on reboot), but we want to try and restrict their ability to mount/write to the windows partition on the drive. Is there a way to limit access to mounting (or writing) to a partition on the system, but still let the users sudo?

    I've been exploring creating a root-like user that is slightly limited, but cannot pinpoint the differences that would be required between it and root.

    I fear we may just go with locking students out of sudo (setting 'rootpw' in the sudoers file), but if anyone has some ideas for me to pursue, I would GREATLY appreciate it!!
    Last edited by jakswa; June 5th, 2010 at 05:11 PM. Reason: wording

  2. #2
    Join Date
    Feb 2005
    Location
    Texas
    Beans
    Hidden!
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: Restricting a Sudoer from Mounting (or from writing to a partition)

    Quick context: The ideal scenario for configuring sudoers that you don't want to have full reign over a system is to explicitly allow only the needed commands. The reverse - allowing all commands and then trying to explicitly disable or prevent a few - is tricky. In your case, there are too many ways they could potentially access the Windows partition.

    What you might want to think about is setting up a virtualized environment for the students where you can prevent access to disks on the host system (Virtualbox? - not sure).

  3. #3
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Restricting a Sudoer from Mounting (or from writing to a partition)

    You can restrict them either by :

    1. see man sudoers and allow access to some commands but not others. Probably not as good as #2.

    2. You can easily restrict them with apparmor.

    ln /bin/bash /usr/local/jailbash

    Change their log in shell to jailbash

    Restrict jailbash with apparmor, restricting access to the partition or device in question.

    You can modify this if you like:

    http://bodhizazen.net/aa-profiles/bo...l.bin.jailbash
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  4. #4
    Join Date
    Sep 2007
    Beans
    20
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Restricting a Sudoer from Mounting (or from writing to a partition)

    Thanks Anomie! I guess I didn't explain very clearly, but students do have access to a virtualized environment (I called it a VM above), and it works well. But for repeated/long use it is slow so we're taking a stab at a live install. I am gathering you are correct about the context I'm in, though... it looks like it will be very difficult to restrict write access to this partition.

    At this point, I predict we'll be settling for having the live install be very restricted, with access to only a few commands (maybe just apt-get, who knows).

    The last idea I'm trying at this moment is having the partition mounted on boot as read-only, and restricting sudo access to un-mounting anything. Seems already like a fail, though, because even if the user cannot execute "/bin/umount", they can "cp /bin/umount ~" and execute it from their home directory...

    If anyone following in my footsteps wants to see how (simple & weak) command restriction is performed, here are the corresponding lines in "/etc/sudoers" (edited with the command "sudo visudo"):

    Code:
    #alias for command(s) we want to restrict
    Cmnd_Alias MOUNT = /bin/mount
    
    #limit users in group 'test' from mounting
    %test ALL=(ALL) ALL, !MOUNT

  5. #5
    Join Date
    Sep 2007
    Beans
    20
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Restricting a Sudoer from Mounting (or from writing to a partition)

    Quote Originally Posted by bodhi.zazen View Post
    You can restrict them either by :

    1. see man sudoers and allow access to some commands but not others. Probably not as good as #2.

    2. You can easily restrict them with apparmor.

    Code:
    ln /bin/bash /usr/local/jailbash
    Change their log in shell to jailbash

    Restrict jailbash with apparmor, restricting access to the partition or device in question.

    You can modify this if you like:

    http://bodhizazen.net/aa-profiles/bo...l.bin.jailbash
    This looks promising, I'm giving apparmor a spin, and will try to remember to post my results.
    Last edited by jakswa; June 5th, 2010 at 06:49 PM. Reason: quote

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •