[sudo-users] su except root

ANDREW PISTOCCHI APISTOCCHI at UT.EDU
Mon Oct 9 08:33:20 EDT 2006 

Thanks Micheal.  That is exactly what I needed.  I was hoping I wasn't
going to have to put a line for each user I wanted the programmers to su
to.  And it does not allow them to su to root.

 

This worked great!

 

Andy P. 

 

________________________________

From: Michael Potter [mailto:pottmi at gmail.com] 
Sent: Friday, October 06, 2006 3:07 PM
To: ANDREW PISTOCCHI
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] su except root

 


These rules:
pottmi  ALL=(!root)/usr/bin/su$
pottmi  ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
pottmi  ALL=(!root)/usr/bin/su -
pottmi  ALL=(!root)/usr/bin/su - root 

lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:

localhost:~ pottmi$ sudo su - mruser
localhost:~ mruser$ exit
logout
localhost:~ pottmi$ sudo su -
Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root on
localhost. 
localhost:~ pottmi$ sudo su - root
Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as
root on localhost.
localhost:~ pottmi$ sudo su
Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
localhost. 
localhost:~ pottmi$ 

Which is my interpretation of what you want.  If that is not what you
are after please post the commands that you want to allow and disallow.

I think !ALL would work as well as or better than !root in the Runas
area of the authorization rule.

Also, I still have the feeling that there is a security hole in this.  I
would say you would probably be better served with a wrapper script that
would only invoke su - on the appropriate users, maybe designated by
their membership in the "staff" group. 

sudoers file:
-------------
User_Alias PROGRAMMERS=prog1, prog2, prog3

PROGRAMMERS ALL=(root)suuser
-------

source for suuser (not debugged): 
-----
#!/bin/bash

if (( $# != 1 ))
then
   echo "usage: suuser username"
   exit 1
fi

/usr/bin/groups $1 |/usr/bin/grep staff
if (( $? != 0 )
then
   echo "$1 not a member of staff" 
   exit 1
fi

su - $1

-----
-- 
potter

On 10/5/06, ANDREW PISTOCCHI < APISTOCCHI at ut.edu
<mailto:APISTOCCHI at ut.edu> > wrote:

I have users able to su - as another user using sudo but how can I 
exclude them from root?  I want them to be able to sudo su as any user
except root.  Right now if they type: sudo su and hit <Enter> they get
the root # prompt.  I don't want this.



Is there an easy way to allow them to su to all users except root? 



Andy Pistocchi

apistocch at ut.edu

813-258-7422

The University of Tampa

____________________________________________________________
sudo-users mailing list < sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list