[sudo-users] su except root
pottmi at gmail.com
Fri Oct 6 15:06:54 EDT 2006
pottmi ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
pottmi ALL=(!root)/usr/bin/su -
pottmi ALL=(!root)/usr/bin/su - root
lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:
localhost:~ pottmi$ sudo su - mruser
localhost:~ mruser$ exit
localhost:~ pottmi$ sudo su -
Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root on
localhost:~ pottmi$ sudo su - root
Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as root on
localhost:~ pottmi$ sudo su
Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
Which is my interpretation of what you want. If that is not what you are
after please post the commands that you want to allow and disallow.
I think !ALL would work as well as or better than !root in the Runas area of
the authorization rule.
Also, I still have the feeling that there is a security hole in this. I
would say you would probably be better served with a wrapper script that
would only invoke su - on the appropriate users, maybe designated by their
membership in the "staff" group.
User_Alias PROGRAMMERS=prog1, prog2, prog3
source for suuser (not debugged):
if (( $# != 1 ))
echo "usage: suuser username"
/usr/bin/groups $1 |/usr/bin/grep staff
if (( $? != 0 )
echo "$1 not a member of staff"
su - $1
On 10/5/06, ANDREW PISTOCCHI <APISTOCCHI at ut.edu> wrote:
> I have users able to su - as another user using sudo but how can I
> exclude them from root? I want them to be able to sudo su as any user
> except root. Right now if they type: sudo su and hit <Enter> they get
> the root # prompt. I don't want this.
> Is there an easy way to allow them to su to all users except root?
> Andy Pistocchi
> apistocch at ut.edu
> The University of Tampa
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users