Posted on 09-20-2022 04:47 AM
Hi there,
I've had a request from our CISO about restricting the following command (and any others in the future):
sudo -s
We still want to allow people to run sudo, but within their own shell, so restricting access to Terminal/iTerm2 is not an option.
What we need to do is still allow people to run sudo commands, but not be able to open a root shell by using sudo -s
Anyone have any ideas?
09-20-2022 08:18 AM - edited 09-20-2022 10:08 AM
Take a look at Automatically Lockdown/Disable Root access on MacOS
But keep in mind the best way to stay protected is removing admin where possible.
Posted on 09-21-2022 11:57 PM
So the best solution is :
1. Create the restricted shell. ...
2. Modify the target user for the shell as restricted shell.
3. Create a directory under /home/localuser/ , e.g. programs. ...
Now if you check, the user localuser can access all commands which he/she has allowed to execute.
Posted on 09-25-2022 07:51 AM
@markanderson wrote:So the best solution is :
1. Create the restricted shell. ...
2. Modify the target user for the shell as restricted shell.
3. Create a directory under /home/localuser/ , e.g. programs. ...
Now if you check, the user localuser can access all commands which he/she has allowed to execute.
Didn't know that was a bash option, would love to see an example. #kudogiven