sudoers-hosts-guard/sudoers at main · 5byuri/sudoers-hosts-guard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Defaults        use_pty

# Für sink: root-Passwort statt User-Passwort und kein Caching
Defaults:%sink      rootpw
Defaults:%sink      timestamp_timeout=0

# Alias nur für das Tool, das ein Passwort braucht
Cmnd_Alias         SENSITIVE = /usr/bin/rm * /etc/hosts, /usr/bin/su , /usr/bin/vim /etc/hosts, /usr/bin/nano /etc/hosts, /usr/sbin/visudo, /usr/bin/tee * /etc/hosts, /usr/bin/mv * /etc/hosts, /usr/bin/cp /etc/hosts, /usr/bin/vim /etc/*, /usr/bin/vim * hosts, /usr/bin/chattr, /usr/bin/dpkg *tor*, /usr/bin/apt *tor*, /usr/bin/apt-get *tor*, /usr/bin/flatpak *tor*, /usr/bin/flatpak install *tor*, /usr/bin/flatpak run *tor*

# Host alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL


# Mitglieder der sudo-Gruppe dürfen alles (User-Passwort)
%sudo   ALL=(ALL:ALL) ALL

# Mitglieder der sink-Gruppe:
%sink   ALL=(ALL:ALL)   NOPASSWD: ALL
%sink   ALL=(ALL:ALL)   PASSWD: SENSITIVE

# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d