1

I want to edit my sudoers file so users have different privileges based on where they are logging in from. I want to have 3 different locations: External network(internet), internal(local lan) and the console(user sitting in front of the computer). defining external and internal would be something like:

Host_Alias       PRIVNET         = 10.6.66.0/25, 10.6.67.128/28

But how do I define the console?

I don´t want a user to be able to make changes to the firewall or sudoers for example, if he is not on location if something goes wrong or maybe even if his account is compromised.

I just want to make sure that the user is nearby when making critical changes.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Stulli
  • 109
  • 1
  • 4
  • 11

2 Answers2

2

The sudoers Host definition (and thus Host_Alias) is meant for defining which hosts this sudoers file entry applies for. In other words, it defines what rights users have on this host, not from which hosts they have these rights. (iirc)

So, to make a long story short, what you want to do, cannot be done with a sudoers entry.

wzzrd
  • 10,409
  • 2
  • 35
  • 47
1

If you can do this, I would think it would be done somewhere with PAM (Pluggable Authentication Modules). Or maybe the 'requiretty' directive of the suoders file (man sudoers).

However, I think you might want to mention your goal. This doesn't feel right to me from a security perspective. I think it would make more sense to have different accounts with different levels of access, and then only allow those accounts to login from certain IP address. Then you have two Macro levels of security, password authentication and IP based. The primary level is the account -- I think an account should be able to do the same things no matter where they logged in from.

Using the sudoers file to restrict commands seems a little to find-grained to me, so I would only use it as an additional layer of security to what I mentioned above.

So in the end my recommendation is:

  • Create different accounts / groups with the access you want, and give them access to those commands in the suoders file. The idea is that there are 'external (non-lan)' accounts that can never run certain commands, and privileged accounts that can.
  • Use PAM to control where these privileged accounts are allowed to log in to, here is an example doing this with ssh.
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
  • This is not thought as a security measure but more as a precaution. The idea is that a user can not make significant changes to the server if he is miles away so if something goes wrong and he for example looses the connection. – Stulli Dec 02 '09 at 20:31