(ALL, !root, !#0) as runas does not work as expected
Woo, April
April.Woo at spirentcom.com
Wed Dec 11 10:14:55 EST 2002
This was sent out as an example in the past. april ;-)
## COMMAND ALIASES: These are specific commands allowed by sudo.
# *** SUROOT prevents unauthorized users from suing to ***
# *** root account while allowing su to other accounts. ***
Cmnd_Alias SUROOT =
!/usr/bin/su "", !/usr/bin/su -,
!/sbin/su.static "",!/sbin/su.static -,
/usr/bin/su - [a-z]*, /usr/bin/su [a-z]*,
!/usr/bin/su root, !/usr/bin/su - root,
!/usr/bin/su -[a-z]*, !/sbin/su.static -[a-z]*
-----Original Message-----
From: Michael Coulter [mailto:mjc at bitz.ca]
Sent: Tuesday, December 10, 2002 3:53 PM
To: Todd C. Miller
Cc: sudo-users at sudo.ws
Subject: Re: (ALL, !root, !#0) as runas does not work as expected
On Tue, Dec 10, 2002 at 12:41:56PM -0700, Todd C. Miller wrote:
> The "!#0" only prevents someone from running "sudo -u #0"
Is there a method of specifying a runas field that
prevents usage as any uid 0 account ?
To make thing easier, all the uid 0 accounts are of the format
??root or ?root. I tried a line like this with no luck stopping
usage as ??root type users.
user ALL=(ALL , !#0, !root, ![A-z]*root) NOPASSWD: /bin/bash
Is this possible with sudo ?
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list