(ALL, !root, !#0) as runas does not work as expected

Woo, April April.Woo at spirentcom.com
Wed Dec 11 10:14:55 EST 2002


This was sent out as an example in the past. april ;-)

## COMMAND ALIASES: These are specific commands allowed by sudo.   
#  *** SUROOT prevents unauthorized users from suing to  ***       
#  *** root account while allowing su to other accounts. ***    
   
Cmnd_Alias SUROOT =                                               
     !/usr/bin/su "", !/usr/bin/su -,                             
     !/sbin/su.static "",!/sbin/su.static -,                      
     /usr/bin/su - [a-z]*, /usr/bin/su [a-z]*,                    
     !/usr/bin/su root, !/usr/bin/su - root,                      
     !/usr/bin/su -[a-z]*, !/sbin/su.static -[a-z]*

-----Original Message-----
From: Michael Coulter [mailto:mjc at bitz.ca]
Sent: Tuesday, December 10, 2002 3:53 PM
To: Todd C. Miller
Cc: sudo-users at sudo.ws
Subject: Re: (ALL, !root, !#0) as runas does not work as expected


On Tue, Dec 10, 2002 at 12:41:56PM -0700, Todd C. Miller wrote:

> The "!#0" only prevents someone from running "sudo -u #0"

Is there a method of specifying a runas field that
prevents usage as any uid 0 account ?

To make thing easier, all the uid 0 accounts are of the format
??root or ?root. I tried a line like this with no luck stopping
usage as ??root type users.

user    ALL=(ALL , !#0, !root, ![A-z]*root) NOPASSWD: /bin/bash

Is this possible with sudo ?
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users



More information about the sudo-users mailing list