[sudo-users] sudoers exception failure with root

Mike iminneed at gmail.com
Thu Sep 1 15:41:17 EDT 2005


You are correct, yes login should be su, and while we don't want the 
users to su to become root we do need them to su to become other users.

I did the sudo -l  and go the following;

(ALL) /usr/local/bin/
    (ALL) /usr/local/sbin/
    (ALL) /usr/bin/
    (ALL) /usr/sbin/
    (ALL) /bin/
    (ALL) /sbin/
    (ALL) /etc/
    (ALL) /bin/su [-]?*
    (ALL) !/bin/su [-]*root*
    (ALL) /usr/sbin/su [-]?*
    (ALL) !/usr/sbin/su [-]*root*

Plus more but that's just different directories.

It's ok if you are sleep-deprived, you work in IT it's expected


Russell Van Tassell wrote:

>On Wed, Aug 31, 2005 at 12:53:23PM -0600, Mike wrote:
>>I need some help understanding why sudo isn't allowing me to prevent 
>>users from logging on as root. I looked in the  posts archives and 
>>didn't see anything so I'm sorry if this is a recursive post. I followed 
>>the example in the sudoers manual and yet I'm still allowed to login as 
>>root. Here is a few lines of the sudoers file that should have the 
>>proper syntax, any help would be appreciated:
>When you say "login," I'm assuming you really mean "su" here, correct?
>There are mechanisms other than sudo to help with the login process
>issue, itself.  So, assuming you're attempting to prevent them simply
>from doing a "sudo su root," do we assume that they're allowed to su
>to any other user, then?
>Often when debugging these issues, it's helpful to try a "sudo -l" on
>the host in-question... it should give you a better idea of how the
>sudoer's file is actually getting parsed.
>Apologies, as I'm rather sleep-deprived this week...

More information about the sudo-users mailing list