[sudo-users] allow / deny su

Michael Potter pottmi at gmail.com
Thu Oct 19 15:20:49 EDT 2006 

Jan,

I recently posted this for a similar problem:
These rules:
pottmi  ALL=(!root)/usr/bin/su$
pottmi  ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
pottmi  ALL=(!root)/usr/bin/su -
pottmi  ALL=(!root)/usr/bin/su - root

lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:

localhost:~ pottmi$ sudo su - mruser
localhost:~ mruser$ exit
logout
localhost:~ pottmi$ sudo su -
Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root on
localhost.
localhost:~ pottmi$ sudo su - root
Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as root on
localhost.
localhost:~ pottmi$ sudo su
Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
localhost.
localhost:~ pottmi$

Which is my interpretation of what you want.  If that is not what you are
after please post the commands that you want to allow and disallow.

I think !ALL would work as well as or better than !root in the Runas area of
the authorization rule.

Also, I still have the feeling that there is a security hole in this.  I
would say you would probably be better served with a wrapper script that
would only invoke su - on the appropriate users, maybe designated by their
membership in the "staff" group.

sudoers file:
-------------
User_Alias PROGRAMMERS=prog1, prog2, prog3

PROGRAMMERS ALL=(root)suuser
-------

source for suuser (not debugged):
-----
#!/bin/bash

if (( $# != 1 ))
then
   echo "usage: suuser username"
   exit 1
fi

/usr/bin/groups $1 |/usr/bin/grep staff
if (( $? != 0 )
then
   echo "$1 not a member of staff"
   exit 1
fi

su - $1

-- 
potter

On 10/19/06, Jan Albrecht <jan.albrecht at gmail.com> wrote:
>
> Hi all,
>
> maybe anyone of you has an idea:
>
> I wan't to allow some of my users to change users via su (to administer
> their own users) but not change via su to root shell.
> Now if I use this command alias:
>
> Cmnd_Alias      SU =    !/bin/su, /bin/su %group, /bin/su - %group,
> !/bin/su - root, !/bin/su root, !/bin/su -
>
> it does not work.
> In this case no su command is allowed (which does make sense as I
> disallowed su) but in all other combinations it worked except for "sudo
> -u root su". su assumes in this case root and switches to root shell.
> And thats what I want to prevent.
>
> Has anyone an idea how to solve this? Or maybe has an another idea?
>
> Thanks
> Jan
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list