Index: scripts/lockdown.sh =================================================================== diff -u -r8d76f7e1a4da17d03d1a28e78716ab19a9615cfd -rce3812aba1fc3f33343b32fc18ed9f42bfe9d3fa --- scripts/lockdown.sh (.../lockdown.sh) (revision 8d76f7e1a4da17d03d1a28e78716ab19a9615cfd) +++ scripts/lockdown.sh (.../lockdown.sh) (revision ce3812aba1fc3f33343b32fc18ed9f42bfe9d3fa) @@ -8,23 +8,18 @@ CONTENT_SUDOERS=" Defaults env_reset Defaults mail_badpass -Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin\" +Defaults secure_path=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\" Defaults use_pty # User privilege specification root ALL=(ALL:ALL) ALL -# Members of the admin group may gain root privileges -%admin ALL=(ALL) ALL - # Allow members of group sudo to execute any command +# this line should have been commented out to revoke any access from sudoers, +# other than what has been specifically mentioned below. +# but since it make the serviceability so hard it has not been. %sudo ALL=(ALL:ALL) ALL -# All serviceuser to execute any command -serviceuser ALL=(ALL:ALL) ALL -%serviceuser ALL=(ALL:ALL) ALL - - # Allow the denali user to execute specific commands as root. denali ALL=(root) NOPASSWD: /usr/bin/bluetoothctl denali ALL=(root) NOPASSWD: /usr/bin/tee * @@ -34,6 +29,7 @@ denali ALL=(root) NOPASSWD: /bin/systemctl stop wpa_supplicant@* denali ALL=(root) NOPASSWD: /bin/systemctl restart wpa_supplicant@* denali ALL=(root) NOPASSWD: /bin/rm -f /etc/wpa_supplicant/wpa_supplicant-* +denali ALL=(root) NOPASSWD: /bin/chmod 640 /etc/wpa_supplicant/wpa_supplicant-* denali ALL=(root) NOPASSWD: /sbin/ip link set * denali ALL=(root) NOPASSWD: /sbin/ip route show denali ALL=(root) NOPASSWD: /sbin/ip route del default @@ -119,6 +115,9 @@ local fileTarget="/etc/sudoers" # Allow the denali user to execute specific commands as root. echo "$CONTENT_SUDOERS" > $fileTarget + + #removing the cloud user who runs the CloudSync entirely from sudoers + gpasswd -d cloud sudo }