[sudo-users] sudoers question

Todd C. Miller Todd.Miller at courtesan.com
Mon Dec 13 17:04:12 EST 2004

When you give someone sudo ALL you give them the means to get around
sudo's logging.  Trying to deny things with '!' is not very
realistic--there is always a way around it if you have ALL.  You
are much better off just giving users a set of commands that they
can run instead of trying to give them access to everything and
adding restrictions.

One thing you can do is to use the "noexec" option or NOEXEC tag
in sudo 1.6.8 to prevent users from running commands that in turn
invoke other commands but this can be defeated by running a static

If what you are worried about is an audit trail, the current sudo
sources in cvs support monitoring the sudo-run command an intercepting
exec system calls for systems that support systrace (see

Really though, this comes down to policy.  If people are abusing
your trust by running shells when they are not supposed to be you
should consider simply revoking their sudo privileges.

 - todd

More information about the sudo-users mailing list