[sudo-users] allow / deny su
pottmi at gmail.com
Thu Oct 19 15:20:49 EDT 2006
I recently posted this for a similar problem:
pottmi ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
pottmi ALL=(!root)/usr/bin/su -
pottmi ALL=(!root)/usr/bin/su - root
lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:
localhost:~ pottmi$ sudo su - mruser
localhost:~ mruser$ exit
localhost:~ pottmi$ sudo su -
Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root on
localhost:~ pottmi$ sudo su - root
Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as root on
localhost:~ pottmi$ sudo su
Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
Which is my interpretation of what you want. If that is not what you are
after please post the commands that you want to allow and disallow.
I think !ALL would work as well as or better than !root in the Runas area of
the authorization rule.
Also, I still have the feeling that there is a security hole in this. I
would say you would probably be better served with a wrapper script that
would only invoke su - on the appropriate users, maybe designated by their
membership in the "staff" group.
User_Alias PROGRAMMERS=prog1, prog2, prog3
source for suuser (not debugged):
if (( $# != 1 ))
echo "usage: suuser username"
/usr/bin/groups $1 |/usr/bin/grep staff
if (( $? != 0 )
echo "$1 not a member of staff"
su - $1
On 10/19/06, Jan Albrecht <jan.albrecht at gmail.com> wrote:
> Hi all,
> maybe anyone of you has an idea:
> I wan't to allow some of my users to change users via su (to administer
> their own users) but not change via su to root shell.
> Now if I use this command alias:
> Cmnd_Alias SU = !/bin/su, /bin/su %group, /bin/su - %group,
> !/bin/su - root, !/bin/su root, !/bin/su -
> it does not work.
> In this case no su command is allowed (which does make sense as I
> disallowed su) but in all other combinations it worked except for "sudo
> -u root su". su assumes in this case root and switches to root shell.
> And thats what I want to prevent.
> Has anyone an idea how to solve this? Or maybe has an another idea?
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users