Highlighted
3 Argentum

Use sudo to block user from running isi commands

Jump to solution

Hi,

I need to block a user from running isi commands from the CLI interface (but I still need the user to be able to SSH into the Isilon cluster). I assume that can be done via sudo i.e use the visudo command and add an entry like :

username ALL=(ALL) !/usr/bin/isi*

,but it does not work.

Any ideas/suggestions?

Thanks

 

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
4 Beryllium

Betreff: Use sudo to block user from running isi commands

Jump to solution

Couple of thoughts:

1. isi commands have a fine-grained "role-based" access control for non-root users that goes far beyond what sudo can do.

2. It seem you want to give the user mostly root-like access via sudo with a few execptions -- while this can certainly be done with the right visudo syntax, still users nearly always can bypass the exceptions by clever use of the many commands that sudo grants to them for calling as root. Like shells or editors that can escape to a shell. There is no guaranteed "blacklist" of commands to make it safe. Always use sudo with a positive "whitelist" as small as possible.

3. Can you tell us what you actually want to achieve; what actions should the user be allowed to perform on the cluster?

4. In case the user should only "manage data" under the /ifs filesystem, we can discuss various options how this can be done in a privileged from a client machine.

-- Peter

View solution in original post

0 Kudos
2 Replies
Highlighted
4 Beryllium

Betreff: Use sudo to block user from running isi commands

Jump to solution

Couple of thoughts:

1. isi commands have a fine-grained "role-based" access control for non-root users that goes far beyond what sudo can do.

2. It seem you want to give the user mostly root-like access via sudo with a few execptions -- while this can certainly be done with the right visudo syntax, still users nearly always can bypass the exceptions by clever use of the many commands that sudo grants to them for calling as root. Like shells or editors that can escape to a shell. There is no guaranteed "blacklist" of commands to make it safe. Always use sudo with a positive "whitelist" as small as possible.

3. Can you tell us what you actually want to achieve; what actions should the user be allowed to perform on the cluster?

4. In case the user should only "manage data" under the /ifs filesystem, we can discuss various options how this can be done in a privileged from a client machine.

-- Peter

View solution in original post

0 Kudos
Highlighted
3 Argentum

Betreff: Use sudo to block user from running isi commands

Jump to solution

Thank you for the input.

An empty RBAC role assigned to the user seems to have the desired affect.

0 Kudos