sudoers file config help

Barnaby Brown barnaby_brown at
Wed Sep 19 03:54:17 EDT 2001

On Tue, Sep 18, 2001 at 05:11:59PM -0700, Parson, David wrote:
> I need assistance in setting up the sudoers file in such a way that the user
> can run any commands on the 
> local machine except su to root {any shell of course}.  I see a way to do
> this, but the syntax that I use if not correct.
> Any recommendations ?

Yes: It can't be done using sudo, don't even try.

> This must be secure - in other words no way can this person or persons get
> to any root shell.
> I am sure that I can use the same syntax to restrict activities such as "su
> - something" in the case where I need to do this as well.

Yes, you can block "su - something", and you can block "su <shell>", but
you can't stop somebody creating a new shell under a new name and
sudoing that, and you can't stop them writing an arbitrary shell script
and sudoing that. There are far too many ways around it for anyone to
list... and even when they run out, the person next to them has half a
dozen more.

This should really be added to the FAQ:
Q)	Can I use sudo to grant permission to all commands except a
        certain few? (eg shells)
A)	No, there are too many ways to get around it. sudo is designed
        as a tool for granting privileged permissions to certain selected
        actions, and you should be very careful what you allow.

Barnaby Brown                            -              Systems Engineer
Pacific Internet (Australia) Pty Ltd     -

More information about the sudo-users mailing list