[sudo-users] sudoers exception failure with root

Mike iminneed at gmail.com
Thu Sep 1 15:28:03 EDT 2005

Would love to, but we are financial in nature and have multiple audit 
requirements that state no user will become root or an administrator of 
a production machine unless performing systems upgrades. This command 
syntax use to work until we upgraded our machines now it doesn't. We 
still need to allow user to su to other users to start applications and 
do other functions that their job requires so removing su completely 
isn't an option. Oh yeah, like most companys they don't want to spend 
the money to get any of the third party products that could control / 
monitor this for us.


Brent Fortman wrote:

>With this level of access, you have already given away the proverbial
>"keys to the kingdom".  There is very little you can do to prevent
>anyone from becoming root if they really want to (e.g. sudo ksh, or sudo
>vi and escape to shell). If you are going to give away this much access,
>why not simply trust your ADMIN users or perhaps monitor their activity
>via the logs?
>-----Original Message-----
>From: sudo-users-bounces at courtesan.com
>[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Mike
>Sent: Wednesday, August 31, 2005 1:53 PM
>To: sudo-users at sudo.ws
>Subject: [sudo-users] sudoers exception failure with root
>I need some help understanding why sudo isn't allowing me to prevent 
>users from logging on as root. I looked in the  posts archives and 
>didn't see anything so I'm sorry if this is a recursive post. I followed
>the example in the sudoers manual and yet I'm still allowed to login as 
>root. Here is a few lines of the sudoers file that should have the 
>proper syntax, any help would be appreciated:
>ADMIN           ALL=(ALL)       /usr/local/bin/, /usr/local/sbin/, \
>                                /usr/bin/, /usr/sbin/, \
>                                /bin/, /sbin/, \
>                                /etc/, \
>                                /bin/su [-]?*, !/bin/su [-]*root*, \
>                                /usr/sbin/su [-]?*, !/usr/sbin/su 
>[-]*root*, \
>                                /usr/local/scripts/, \
>                                /usr/local/scripts/backup/, \
>                                !/usr/sbin/visudo,
>!/usr/local/bin/visudo, \
>                                !/sbin/visudo, \
>                                !/usr/bin/passwd root, \
>                                !/etc/passwd root
>There are no further instances of  /bin, /sbin  any where else in the
>In reading through other posts,  I understand that the processing of 
>request is the last item seen is the item that wins. I am at a loss as 
>to how to deny user to logon as root.
>Thank you for your time.
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list