[sudo-users] sudoers exception failure with root
Mike
iminneed at gmail.com
Thu Sep 1 15:28:03 EDT 2005
Would love to, but we are financial in nature and have multiple audit
requirements that state no user will become root or an administrator of
a production machine unless performing systems upgrades. This command
syntax use to work until we upgraded our machines now it doesn't. We
still need to allow user to su to other users to start applications and
do other functions that their job requires so removing su completely
isn't an option. Oh yeah, like most companys they don't want to spend
the money to get any of the third party products that could control /
monitor this for us.
Mike
Brent Fortman wrote:
>With this level of access, you have already given away the proverbial
>"keys to the kingdom". There is very little you can do to prevent
>anyone from becoming root if they really want to (e.g. sudo ksh, or sudo
>vi and escape to shell). If you are going to give away this much access,
>why not simply trust your ADMIN users or perhaps monitor their activity
>via the logs?
>
>Brent
>
>-----Original Message-----
>From: sudo-users-bounces at courtesan.com
>[mailto:sudo-users-bounces at courtesan.com] On Behalf Of Mike
>Sent: Wednesday, August 31, 2005 1:53 PM
>To: sudo-users at sudo.ws
>Subject: [sudo-users] sudoers exception failure with root
>
>I need some help understanding why sudo isn't allowing me to prevent
>users from logging on as root. I looked in the posts archives and
>didn't see anything so I'm sorry if this is a recursive post. I followed
>
>the example in the sudoers manual and yet I'm still allowed to login as
>root. Here is a few lines of the sudoers file that should have the
>proper syntax, any help would be appreciated:
>
>ADMIN ALL=(ALL) /usr/local/bin/, /usr/local/sbin/, \
> /usr/bin/, /usr/sbin/, \
> /bin/, /sbin/, \
> /etc/, \
> /bin/su [-]?*, !/bin/su [-]*root*, \
> /usr/sbin/su [-]?*, !/usr/sbin/su
>[-]*root*, \
> /usr/local/scripts/, \
> /usr/local/scripts/backup/, \
> !/usr/sbin/visudo,
>!/usr/local/bin/visudo, \
> !/sbin/visudo, \
> !/usr/bin/passwd root, \
> !/etc/passwd root
>
>
>
>There are no further instances of /bin, /sbin any where else in the
>file.
>
>In reading through other posts, I understand that the processing of
>request is the last item seen is the item that wins. I am at a loss as
>to how to deny user to logon as root.
>
>Thank you for your time.
>
>Mike
>____________________________________________________________
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>http://www.sudo.ws/mailman/listinfo/sudo-users
>
>
>
>
More information about the sudo-users
mailing list