Help

Any way to restrict specific commands in Terminal?

Utilizator
Contributor

Posted on ‎09-20-2022 04:47 AM

Hi there,

I've had a request from our CISO about restricting the following command (and any others in the future):

sudo -s

We still want to allow people to run sudo, but within their own shell, so restricting access to Terminal/iTerm2 is not an option.

What we need to do is still allow people to run sudo commands, but not be able to open a root shell by using sudo -s

Anyone have any ideas?

3 REPLIES 3

shaquir
Contributor III

‎09-20-2022 08:18 AM - edited ‎09-20-2022 10:08 AM

Take a look at Automatically Lockdown/Disable Root access on MacOS

But keep in mind the best way to stay protected is removing admin where possible.  

markanderson
New Contributor II

Posted on ‎09-21-2022 11:57 PM

So the best solution is :
1. Create the restricted shell. ...
2. Modify the target user for the shell as restricted shell.
3. Create a directory under /home/localuser/ , e.g. programs. ...
Now if you check, the user localuser can access all commands which he/she has allowed to execute.

donmontalvo
Esteemed Contributor III
In response to markanderson

Posted on ‎09-25-2022 07:51 AM

@markanderson wrote:

So the best solution is :
1. Create the restricted shell. ...
2. Modify the target user for the shell as restricted shell.
3. Create a directory under /home/localuser/ , e.g. programs. ...
Now if you check, the user localuser can access all commands which he/she has allowed to execute.

Didn't know that was a bash option, would love to see an example. #kudogiven

--
https://donmontalvo.com
0 Kudos