From c9844805a441a3213f9a8cc313f114241f103ec2 Mon Sep 17 00:00:00 2001 From: dpeca Date: Mon, 23 Mar 2020 19:31:42 +0100 Subject: [PATCH 1/3] Limiting /etc/sudoers for Ubuntu --- upd/limit_sudo.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/upd/limit_sudo.sh b/upd/limit_sudo.sh index 4f4ac924..22572151 100755 --- a/upd/limit_sudo.sh +++ b/upd/limit_sudo.sh @@ -4,3 +4,5 @@ if [ -e "/etc/sudoers.d/admin" ]; then sed -i "s/admin.*ALL=(ALL).*/# sudo is limited to vesta scripts/" \ /etc/sudoers.d/admin fi + +sed -i "s/%admin.*ALL=(ALL).*/# sudo is limited to vesta scripts/" /etc/sudoers From 00e1f46276a5bb901c89d56f5a1d3e19d519eeb9 Mon Sep 17 00:00:00 2001 From: dpeca Date: Mon, 23 Mar 2020 19:34:39 +0100 Subject: [PATCH 2/3] Limiting /etc/sudoers for Ubuntu --- install/vst-install-ubuntu.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/install/vst-install-ubuntu.sh b/install/vst-install-ubuntu.sh index 653f7fc1..21f645bd 100755 --- a/install/vst-install-ubuntu.sh +++ b/install/vst-install-ubuntu.sh @@ -688,6 +688,7 @@ chmod 755 /usr/bin/rssh mkdir -p /etc/sudoers.d cp -f $vestacp/sudo/admin /etc/sudoers.d/ chmod 440 /etc/sudoers.d/admin +sed -i "s/%admin.*ALL=(ALL).*/# sudo is limited to vesta scripts/" /etc/sudoers # Configuring system env echo "export VESTA='$VESTA'" > /etc/profile.d/vesta.sh From c915bff32eecbd29bc49275aaeeeeddecde1dc99 Mon Sep 17 00:00:00 2001 From: dpeca Date: Tue, 24 Mar 2020 20:40:47 +0100 Subject: [PATCH 3/3] Forbid changing root password --- bin/v-change-user-password | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bin/v-change-user-password b/bin/v-change-user-password index 22a3d78f..a1b6a76f 100755 --- a/bin/v-change-user-password +++ b/bin/v-change-user-password @@ -22,6 +22,9 @@ source $VESTA/conf/vesta.conf # Verifications # #----------------------------------------------------------# +if [ "$user" = "root" ]; then + check_result $E_FORBIDEN "Changing root password is forbiden" +fi check_args '2' "$#" 'USER PASSWORD' is_format_valid 'user' is_object_valid 'user' 'USER' "$user"