sudoers file config help

Julian.Tan at Julian.Tan at
Wed Sep 19 06:54:08 EDT 2001

I would like to warn all users that it is always VERY DANGEROUS to allow
access to all commands and then finding ways to block certain commands ....
I would always suggest to enable commands as and when they are needed even
if this takes more time to administer and configure. Never ever compromise
security with workload because once someone hacked in the system, the
workload might be even more heavy ....

Best Regards,
Julian Tan

----- Forwarded by Julian Tan/AZAP/Allianz-SG on 19/09/2001 18:44 -----
                    Barnaby Brown                                                                 
                    <barnaby_brown at pacif       To:     sudo-users at                   
          >                 cc:                                                
                    Sent by:                   Subject:     Re: sudoers file config help          
                    sudo-users-admin at cou                                                          
                    19/09/2001 15:54                                                              

On Tue, Sep 18, 2001 at 05:11:59PM -0700, Parson, David wrote:
> I need assistance in setting up the sudoers file in such a way that the
> can run any commands on the
> local machine except su to root {any shell of course}.  I see a way to do
> this, but the syntax that I use if not correct.
> Any recommendations ?

Yes: It can't be done using sudo, don't even try.

> This must be secure - in other words no way can this person or persons
> to any root shell.
> I am sure that I can use the same syntax to restrict activities such as
> - something" in the case where I need to do this as well.

Yes, you can block "su - something", and you can block "su <shell>", but
you can't stop somebody creating a new shell under a new name and
sudoing that, and you can't stop them writing an arbitrary shell script
and sudoing that. There are far too many ways around it for anyone to
list... and even when they run out, the person next to them has half a
dozen more.

This should really be added to the FAQ:
Q)         Can I use sudo to grant permission to all commands except a
        certain few? (eg shells)
A)         No, there are too many ways to get around it. sudo is designed
        as a tool for granting privileged permissions to certain selected
        actions, and you should be very careful what you allow.

Barnaby Brown                            -              Systems Engineer
Pacific Internet (Australia) Pty Ltd     -
sudo-users mailing list <sudo-users at>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list