[sudo-users] su except root
Battersby-Cornmell, Robin Alasdair
Robin.Battersby-Cornmell at uisl.unisys.com
Wed Jul 8 07:10:32 EDT 2009
Your approach may be a little open to abuse with people able to simply copy su to another name and then call that with "sudo cp -p /usr/bin/su ./mysu; sudo mysu -" or similar.
Another way (not perfect either) is to edit /.profile (assuming you're using sh, ksh, bash etc.) so trace the caller, something like:-
#!/bin/ksh
# root's .profile
ps -o user=,tty=,ppid= -p $$|read uid tid ppid
if [ "$tid" != "${tid#pts}" -o "$tid" != "${tid#tty}" ] <--- See below
then
who -i|grep "$tid "|read rid b c d e f lpid rest
ps -o user=,ppid=,args= -p $ppid|read cid cpid cargs
if [ `grep -c "$cid" /etc/rootusers.allowed` -ne 1 ]
then
echo "Not allowed access to login as root."
# Write attempt in your security log with info collected above
exit
fi
fi
# Carry on with .profile here
You need to edit the "if" to capture your terminal definition style, e.g. pts/1, ttyAA/AA11 or whatever. Make sure that you allow direct console login as a fallback. Test it very thoroughly and consider what will happen in a boot when the profile is read.
This is quickly cobbled together and not tested, so no liability is accepted.
Of course, it can still be hacked round by altering the /etc/rootusers.allowed. Perhaps the best way would be to specifically allow what is acceptable rather than trying to have a blanket grant and the prevent what you don't want the to do. Shared accounts are always a bad idea as you lose the accountability anyway. How do you square it with the auditors? The shared accounts might be okay if you script everything and then allow users to call the script and don't let them enter arbitrary commands.
Robin
Unisys, Liverpool
-----Original Message-----
From: Thornton, Don [mailto:Don.Thornton at stvin.org]
Sent: Monday, July 06, 2009 5:20 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] su except root
Add the folling lines (visudo) to your /etc/sudoers file:
User_Alias NON_ROOT = APistocc, DThornto
Cmnd_Alias SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su root, /usr/bin/su - root
NON_ROOT ALL=(ALL) ALL, !SU_TO_ROOT
Don Thornton Jr.
The Unix System Administrator
St. Vincent Regional Medical Center
455 St. Michaels Dr.
Santa Fe, NM 87505
Wrk: 505-913-4875
Fax: 505-913-4957
On 10/5/06, ANDREW PISTOCCHI <APISTOCCHI at ut.edu> wrote:
>
> I have users able to su - as another user using sudo but how can I
> exclude them from root? I want them to be able to sudo su as any user
> except root. Right now if they type: sudo su and hit <Enter> they get
> the root # prompt. I don't want this.
>
>
>
> Is there an easy way to allow them to su to all users except root?
>
>
>
> Andy Pistocchi
>
> apistocch at ut.edu
>
> 813-258-7422
>
> The University of Tampa
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information,
> options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
***********************************
This email is sent in confidence for the addressee only.
Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer.
We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents.
Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry
Unisys Insurance Services Limited Registered in England No. 4087012
Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG
More information about the sudo-users
mailing list