Problems with blocking access...

[Rikk Sullenberger]

Hi all,

I have been looking over Sudo and have tried configuring sudo to block users access to su, other shells, etc but have been having troubles with it. Below is my sudoers file.  I am editing the file using visudo. 


An example would be for users in the OPSTECH alias, even though sudoers is setup to deny shell changes etc they still can.....????....???

Can some one point me in the right direction on this?



Thanks much in advance.

Rikk Sullenberger
Senior Unix Administrator
PSINet, inc


# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification
User_Alias OPSTECH=mccloudm
User_Alias OPSENG=brownp
User_Alias AWSENG=bmarm

# Cmnd alias specification
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh
Cmnd_Alias SU=/bin/su
Cmnd_Alias SBIN=/usr/sbin/*
Cmnd_Alias SHUTDOWN=/usr/sbin/shutdown,/usr/bin/reboot,/etc/halt
Cmnd_Alias PKG=/usr/sbin/pkgadd,/usr/sbin/pkgask,/usr/sbin/pkgchk \
           /usr/bin/pkginfo,/usr/bin/pkgmk,/usr/sbin/pkgmv,/usr/bin/pkgparam \
           /usr/bin/pkgproto,/usr/sbin/pkgrm,/usr/bin/pkgtrans
Cmnd_Alias USER=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod
Cmnd_Alias GROUP=/usr/sbin/groupadd,/usr/sbin/groupdel,/usr/sbin/groupmod
Cmnd_Alias VISUDO=/opt/sudo/sbin/visudo,/opt/sudo-1.5.7p2/sbin/visudo

# User privilege specification
root    ALL=(ALL) ALL
OPSTECH ALL=ALL,!SHELLS,!SU,!SBIN,!SHUTDOWN,!VISUDO
OPSENG  ALL=ALL,!SHELLS,!SU,!PKG,!USER,!GROUP,!VISUDO
AWSENG  ALL=ALL,!SHELLS,!SU,!PKG
iannucci ALL=(ALL) NOPASSWD: ALL
hubbard ALL=(ALL) NOPASSWD: ALL
mtaylor ALL=(ALL) NOPASSWD: ALL
psieng  ALL=(ALL) NOPASSWD: ALL
dnsadm  ALL=(ALL) NOPASSWD: ALL
reede   ALL=(ALL) NOPASSWD: ALL
rikk    ALL=(ALL) NOPASSWD: ALL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/sudo-users/attachments/20010118/e4b6580c/attachment.html>