[sudo-users] How to prevent editing sudoers-file

Huibert.Kivits at mail.ing.nl Huibert.Kivits at mail.ing.nl
Sun Nov 26 20:31:30 EST 2006

If you store all sudo authorizations in LDAP, you can be certain the
user has no ability to change his sudo authorizations.
You would still have to audit /etc/sudoers, but that would be
considerably easier. /etc/sudoers should be 0 or 1 byte small, if you
would decide to manage sudo from LDAP.

Of course, this won't stop a user who has sudo ALL from doing malicious

Met vriendelijke groeten,

Huibert Kivits
"Het kan altijd beter en strenger, maar strenger is niet altijd beter."

-----Oorspronkelijk bericht-----
Van: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] Namens Claude Hohl
Verzonden: zaterdag 25 november 2006 0:16
Aan: sudo-users at sudo.ws
Onderwerp: [sudo-users] How to prevent editing sudoers-file

Hash: SHA1


I want to give root-rights to a user with sudo. He should be able to  
do anything; but everything has to be logged. I prevented shell- 
escapes with noexec.
So far, so good.

Now the serious thing:

How can i prevent the user from editing the /etc/sudoers file with sudo?

Yeees, I could add the line:
!/usr/bin/vi /etc/sudoers

But have a look at this:

ln -s /etc/sudoers ./mysudoers
sudo vi ./mysudoers

Ring any alarming bells?

Obviously, I can't deny him making a softlink to the sudoers file -  
this doesn't require root rights. And I can't deny him to use vi  
(even then, there are soo many other texteditors who would do the  
trick if executed by sudo).

The user could gain more rights, or remove some restrictions defined  
in the sudoers file.

Sudo doesn't trace softlinks. I think that's a SERIOUS fault.

Or is there any possibility to make the /etc/sudoers file only  
editable by visudo (and no, absolutely no write-rights to root)?

Thanks for your help


Version: GnuPG v1.4.3 (Darwin)

sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
The information in this electronic mail message is private and
confidential, and only intended for the addressee. Should you
receive this message by mistake, you are hereby notified that
any disclosure, reproduction, distribution or use of this
message is strictly prohibited. Please inform the sender by
reply transmission and delete the message without copying or
opening it.

Messages and attachments are scanned for all viruses known.
If this message contains password-protected attachments, the
files have NOT been scanned for viruses by the ING mail domain.
Always scan attachments before opening them.

More information about the sudo-users mailing list