[sudo-users] su except root
Michael Potter
pottmi at gmail.com
Fri Oct 6 15:06:54 EDT 2006
These rules:
pottmi ALL=(!root)/usr/bin/su$
pottmi ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
pottmi ALL=(!root)/usr/bin/su -
pottmi ALL=(!root)/usr/bin/su - root
lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:
localhost:~ pottmi$ sudo su - mruser
localhost:~ mruser$ exit
logout
localhost:~ pottmi$ sudo su -
Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root on
localhost.
localhost:~ pottmi$ sudo su - root
Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as root on
localhost.
localhost:~ pottmi$ sudo su
Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
localhost.
localhost:~ pottmi$
Which is my interpretation of what you want. If that is not what you are
after please post the commands that you want to allow and disallow.
I think !ALL would work as well as or better than !root in the Runas area of
the authorization rule.
Also, I still have the feeling that there is a security hole in this. I
would say you would probably be better served with a wrapper script that
would only invoke su - on the appropriate users, maybe designated by their
membership in the "staff" group.
sudoers file:
-------------
User_Alias PROGRAMMERS=prog1, prog2, prog3
PROGRAMMERS ALL=(root)suuser
-------
source for suuser (not debugged):
-----
#!/bin/bash
if (( $# != 1 ))
then
echo "usage: suuser username"
exit 1
fi
/usr/bin/groups $1 |/usr/bin/grep staff
if (( $? != 0 )
then
echo "$1 not a member of staff"
exit 1
fi
su - $1
-----
--
potter
On 10/5/06, ANDREW PISTOCCHI <APISTOCCHI at ut.edu> wrote:
>
> I have users able to su - as another user using sudo but how can I
> exclude them from root? I want them to be able to sudo su as any user
> except root. Right now if they type: sudo su and hit <Enter> they get
> the root # prompt. I don't want this.
>
>
>
> Is there an easy way to allow them to su to all users except root?
>
>
>
> Andy Pistocchi
>
> apistocch at ut.edu
>
> 813-258-7422
>
> The University of Tampa
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list