[sudo-users] sudo interactive + ldap`

Mark mark at mbfk.net
Mon Jul 17 10:42:10 EDT 2006

Hello All,

I'm currently running Sudo version 1.6.8p9 on HPUX 11i and 11.0 in combination with Netscape
Directory Server 6.1 and 6.11.
Everything works just fine, I have the users in the same ldapdirectory as the sudo cn=default and
and a number of roles.

There's one thing I recently found and it's puzzling me..

I've created a number of roles for different types of operators on our systems.
Some roles have rights to some/all commands but 'su' and all shells.
This because all command's they perform as root have to be logged.
Now it turns out they can still do this, getting a rootshell that is, by issuing 'sudo -i'.

So the questionn is : Is there a way to prevent this ?
And the second question : how do I do this in the LDAP configuration ?

Thanks for your ideas on this.

Mark Benschop

More information about the sudo-users mailing list