sudoers file : prevention of su to root

Jeremy Fason jfason at rocketmail.com
Mon Oct 8 19:19:03 EDT 2001


This is what I have done to stop su'ing to any root
variation (assuming "su" is in /usr/bin, I have seen a
few users copy su to there home dir and then run it,
but thats what logs are for, guarantee they wont do it
again).  I even had to add the last line because the
command "sudo su<character>" (notice the missing
space, which is usually a typo, ie. "sudo su -oracle")
would do the equivalent of "sudo -s" which was not
good.  This will let users su [ ,-] <anyuser> only.

Cmnd_Alias SUROOT =
     !/usr/bin/su "", !/usr/bin/su -, 

     !/sbin/su.static "",!/sbin/su.static -, 

      /usr/bin/su - [a-z]*, /usr/bin/su [a-z]*, 

     !/usr/bin/su root, !/usr/bin/su - root, 

     !/usr/bin/su -[a-z]*, !/sbin/su.static -[a-z]*

BTW, this even stops the sudo -s (root shell) switch

Hope this helps.
--- "Parson, David" <David.Parson at pacificorp.com>
wrote:
> 
> Folks:
> 
> I have been trying to write a generic sudoers file
> to prevent most folks
> {note: most, but not all} from doing a "su -, su,
> ...". I think you get the
> idea in that in most cases don't care if folks use
> "sudo su someone", but
> that they be prevented from doing any kind of su to
> root shell.
> 
> Someone was kind enough to send me the syntax with
> some ideas on how to
> implement this, but some of the syntax won't work
> and what does will not
> prevent a su to root.
> 
> thanks 
> 
> --David
> 
> 
> -----Original Message-----
> From: Matthew Hannigan [mailto:mlh at zip.com.au]
> Sent: Monday, October 08, 2001 12:14 PM
> To: sudo-users at courtesan.com
> Subject: [Fwd: equiv of "su -"]
> 
> 
> 
> 
> Anyone?
> 
> 
> 
> mlh at zip.com.au wrote:
> > 
> > All,
> > I want sudo root shell to run .profile.
> > 
> > What is the sudo equivalent to "su -" ?
> > 
> > Besides "sudo su -" that is.  Because
> > for RUNAS users, you would have to allow
> > them to run su as root, and restrict them
> > somehow to su - RUNASUSER.
> > 
> > Regards,
> >  -Matt
> > 
> > ---------------------------------------------
> > This message was sent using Endymion MailMan.
> > http://www.endymion.com/products/mailman/
>
____________________________________________________________
> 
> sudo-users mailing list <sudo-users at courtesan.com>
> For list information, options, or to unsubscribe,
> visit:
> http://www.courtesan.com/mailman/listinfo/sudo-users
> 
> 


__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1



More information about the sudo-users mailing list