sudoers file : prevention of su to root
Jeremy Fason
jfason at rocketmail.com
Mon Oct 8 19:19:03 EDT 2001
This is what I have done to stop su'ing to any root
variation (assuming "su" is in /usr/bin, I have seen a
few users copy su to there home dir and then run it,
but thats what logs are for, guarantee they wont do it
again). I even had to add the last line because the
command "sudo su<character>" (notice the missing
space, which is usually a typo, ie. "sudo su -oracle")
would do the equivalent of "sudo -s" which was not
good. This will let users su [ ,-] <anyuser> only.
Cmnd_Alias SUROOT =
!/usr/bin/su "", !/usr/bin/su -,
!/sbin/su.static "",!/sbin/su.static -,
/usr/bin/su - [a-z]*, /usr/bin/su [a-z]*,
!/usr/bin/su root, !/usr/bin/su - root,
!/usr/bin/su -[a-z]*, !/sbin/su.static -[a-z]*
BTW, this even stops the sudo -s (root shell) switch
Hope this helps.
--- "Parson, David" <David.Parson at pacificorp.com>
wrote:
>
> Folks:
>
> I have been trying to write a generic sudoers file
> to prevent most folks
> {note: most, but not all} from doing a "su -, su,
> ...". I think you get the
> idea in that in most cases don't care if folks use
> "sudo su someone", but
> that they be prevented from doing any kind of su to
> root shell.
>
> Someone was kind enough to send me the syntax with
> some ideas on how to
> implement this, but some of the syntax won't work
> and what does will not
> prevent a su to root.
>
> thanks
>
> --David
>
>
> -----Original Message-----
> From: Matthew Hannigan [mailto:mlh at zip.com.au]
> Sent: Monday, October 08, 2001 12:14 PM
> To: sudo-users at courtesan.com
> Subject: [Fwd: equiv of "su -"]
>
>
>
>
> Anyone?
>
>
>
> mlh at zip.com.au wrote:
> >
> > All,
> > I want sudo root shell to run .profile.
> >
> > What is the sudo equivalent to "su -" ?
> >
> > Besides "sudo su -" that is. Because
> > for RUNAS users, you would have to allow
> > them to run su as root, and restrict them
> > somehow to su - RUNASUSER.
> >
> > Regards,
> > -Matt
> >
> > ---------------------------------------------
> > This message was sent using Endymion MailMan.
> > http://www.endymion.com/products/mailman/
>
____________________________________________________________
>
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe,
> visit:
> http://www.courtesan.com/mailman/listinfo/sudo-users
>
>
__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1
More information about the sudo-users
mailing list