89 Posts
0
1408
Use sudo to block user from running isi commands
Hi,
I need to block a user from running isi commands from the CLI interface (but I still need the user to be able to SSH into the Isilon cluster). I assume that can be done via sudo i.e use the visudo command and add an entry like :
username ALL=(ALL) !/usr/bin/isi*
,but it does not work.
Any ideas/suggestions?
Thanks
Peter_Sero
1.2K Posts
0
February 27th, 2020 07:00
Couple of thoughts:
1. isi commands have a fine-grained "role-based" access control for non-root users that goes far beyond what sudo can do.
2. It seem you want to give the user mostly root-like access via sudo with a few execptions -- while this can certainly be done with the right visudo syntax, still users nearly always can bypass the exceptions by clever use of the many commands that sudo grants to them for calling as root. Like shells or editors that can escape to a shell. There is no guaranteed "blacklist" of commands to make it safe. Always use sudo with a positive "whitelist" as small as possible.
3. Can you tell us what you actually want to achieve; what actions should the user be allowed to perform on the cluster?
4. In case the user should only "manage data" under the /ifs filesystem, we can discuss various options how this can be done in a privileged from a client machine.
-- Peter
Apex_Ops
89 Posts
0
March 3rd, 2020 08:00
Thank you for the input.
An empty RBAC role assigned to the user seems to have the desired affect.