[sudo-users] allow / deny su
Michael Potter
pottmi at gmail.com
Thu Oct 19 15:20:49 EDT 2006
Jan,
I recently posted this for a similar problem:
These rules:
pottmi ALL=(!root)/usr/bin/su$
pottmi ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
pottmi ALL=(!root)/usr/bin/su -
pottmi ALL=(!root)/usr/bin/su - root
lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:
localhost:~ pottmi$ sudo su - mruser
localhost:~ mruser$ exit
logout
localhost:~ pottmi$ sudo su -
Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root on
localhost.
localhost:~ pottmi$ sudo su - root
Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as root on
localhost.
localhost:~ pottmi$ sudo su
Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
localhost.
localhost:~ pottmi$
Which is my interpretation of what you want. If that is not what you are
after please post the commands that you want to allow and disallow.
I think !ALL would work as well as or better than !root in the Runas area of
the authorization rule.
Also, I still have the feeling that there is a security hole in this. I
would say you would probably be better served with a wrapper script that
would only invoke su - on the appropriate users, maybe designated by their
membership in the "staff" group.
sudoers file:
-------------
User_Alias PROGRAMMERS=prog1, prog2, prog3
PROGRAMMERS ALL=(root)suuser
-------
source for suuser (not debugged):
-----
#!/bin/bash
if (( $# != 1 ))
then
echo "usage: suuser username"
exit 1
fi
/usr/bin/groups $1 |/usr/bin/grep staff
if (( $? != 0 )
then
echo "$1 not a member of staff"
exit 1
fi
su - $1
--
potter
On 10/19/06, Jan Albrecht <jan.albrecht at gmail.com> wrote:
>
> Hi all,
>
> maybe anyone of you has an idea:
>
> I wan't to allow some of my users to change users via su (to administer
> their own users) but not change via su to root shell.
> Now if I use this command alias:
>
> Cmnd_Alias SU = !/bin/su, /bin/su %group, /bin/su - %group,
> !/bin/su - root, !/bin/su root, !/bin/su -
>
> it does not work.
> In this case no su command is allowed (which does make sense as I
> disallowed su) but in all other combinations it worked except for "sudo
> -u root su". su assumes in this case root and switches to root shell.
> And thats what I want to prevent.
>
> Has anyone an idea how to solve this? Or maybe has an another idea?
>
> Thanks
> Jan
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list