I have a file with root permissions like this
[root@testbox ~]# ls -l /etc/resolv.conf
-rw-r--r-- 1 root root 113 Feb 21 21:29 /etc/resolv.conf
I have enabled passwordless sudo for my user using /etc/sudoer
%mayur ALL=(ALL) NOPASSWD: ALL
I want some way where if I try to edit this particular file I get blocked. for eg .. I want to block these commands based on THE FILE NAME
$ echo 123 | sudo tee /etc/resolv.conf ## SHOULD GET BLOCKED
$ touch newfile | echo 123 > newfile | sudo cp newfile /etc/resolv.conf ## SHOULD GET BLOCKED
My Efforts:
%mayur ALL=(ALL) NOPASSWD: ALL,!/* /etc/resolv.conf
Any things that works will help. Thanks.
EDIT: I want to be able to apply the solutions accross multiple servers with multiple users having sudo access
You can use a wrapper:
#!/bin/bash
declare -A EXCLUDE
while IFS= read -r FILE; do
EXCLUDE[$FILE]=.
done < /etc/sudoers.exclude-list
for ARG in "$@"; do
TARGET=$(exec /usr/bin/readlink -m -- "$ARG")
[[ -n $TARGET && -n ${EXCLUDE[$FILE]} ]] && {
echo "sudo: Sorry, target is not allowed: $TARGET"
exit 1
}
done
exec /path/to/real/sudo-in-secured-location "$@"
Where /etc/sudoers.exclude-list
is a line-based list of absolute real file paths. Entries must not contain extra spaces and list must not be in DOS format.
This script must have same ownership and permissions as the real sudo.