[sudo-users] sudoers exception failure with root
Brent Fortman
Brent.Fortman at radioshack.com
Thu Sep 1 12:11:03 EDT 2005
With this level of access, you have already given away the proverbial
"keys to the kingdom". There is very little you can do to prevent
anyone from becoming root if they really want to (e.g. sudo ksh, or sudo
vi and escape to shell). If you are going to give away this much access,
why not simply trust your ADMIN users or perhaps monitor their activity
via the logs?
Brent
-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Mike
Sent: Wednesday, August 31, 2005 1:53 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] sudoers exception failure with root
I need some help understanding why sudo isn't allowing me to prevent
users from logging on as root. I looked in the posts archives and
didn't see anything so I'm sorry if this is a recursive post. I followed
the example in the sudoers manual and yet I'm still allowed to login as
root. Here is a few lines of the sudoers file that should have the
proper syntax, any help would be appreciated:
ADMIN ALL=(ALL) /usr/local/bin/, /usr/local/sbin/, \
/usr/bin/, /usr/sbin/, \
/bin/, /sbin/, \
/etc/, \
/bin/su [-]?*, !/bin/su [-]*root*, \
/usr/sbin/su [-]?*, !/usr/sbin/su
[-]*root*, \
/usr/local/scripts/, \
/usr/local/scripts/backup/, \
!/usr/sbin/visudo,
!/usr/local/bin/visudo, \
!/sbin/visudo, \
!/usr/bin/passwd root, \
!/etc/passwd root
There are no further instances of /bin, /sbin any where else in the
file.
In reading through other posts, I understand that the processing of
request is the last item seen is the item that wins. I am at a loss as
to how to deny user to logon as root.
Thank you for your time.
Mike
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list