[sudo-users] allow / deny su

Jan Albrecht jan.albrecht at gmail.com
Fri Oct 20 04:22:42 EDT 2006 

Hi Michael,

I had to adopt your example, but know it seems to work.
Thanks for your help!

But just one question: Is there a way to get rid of the
[a-zA-Z][a-z0-9A-Z] definitions? Can there a %usergroup be placed?

Thanks
Jan

Michael Potter wrote:
> Jan,
>
> I recently posted this for a similar problem:
> These rules:
> pottmi  ALL=(!root)/usr/bin/su$
> pottmi  ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
> pottmi  ALL=(!root)/usr/bin/su -
> pottmi  ALL=(!root)/usr/bin/su - root
>
> lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:
>
> localhost:~ pottmi$ sudo su - mruser
> localhost:~ mruser$ exit
> logout
> localhost:~ pottmi$ sudo su -
> Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root
> on localhost.
> localhost:~ pottmi$ sudo su - root
> Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as
> root on localhost.
> localhost:~ pottmi$ sudo su
> Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
> localhost.
> localhost:~ pottmi$
>
> Which is my interpretation of what you want.  If that is not what you
> are after please post the commands that you want to allow and disallow.
>
> I think !ALL would work as well as or better than !root in the Runas
> area of the authorization rule.
>
> Also, I still have the feeling that there is a security hole in this. 
> I would say you would probably be better served with a wrapper script
> that would only invoke su - on the appropriate users, maybe designated
> by their membership in the "staff" group.
>
> sudoers file:
> -------------
> User_Alias PROGRAMMERS=prog1, prog2, prog3
>
> PROGRAMMERS ALL=(root)suuser
> -------
>
> source for suuser (not debugged):
> -----
> #!/bin/bash
>
> if (( $# != 1 ))
> then
>    echo "usage: suuser username"
>    exit 1
> fi
>
> /usr/bin/groups $1 |/usr/bin/grep staff
> if (( $? != 0 )
> then
>    echo "$1 not a member of staff"
>    exit 1
> fi
>
> su - $1
>
> -- 
> potter
>
> On 10/19/06, *Jan Albrecht* <jan.albrecht at gmail.com
> <mailto:jan.albrecht at gmail.com>> wrote:
>
>     Hi all,
>
>     maybe anyone of you has an idea:
>
>     I wan't to allow some of my users to change users via su (to
>     administer
>     their own users) but not change via su to root shell.
>     Now if I use this command alias:
>
>     Cmnd_Alias      SU =    !/bin/su, /bin/su %group, /bin/su - %group,
>     !/bin/su - root, !/bin/su root, !/bin/su -
>
>     it does not work.
>     In this case no su command is allowed (which does make sense as I
>     disallowed su) but in all other combinations it worked except for
>     "sudo
>     -u root su". su assumes in this case root and switches to root shell.
>     And thats what I want to prevent.
>
>     Has anyone an idea how to solve this? Or maybe has an another idea?
>
>     Thanks
>     Jan
>     ____________________________________________________________
>     sudo-users mailing list < sudo-users at sudo.ws
>     <mailto:sudo-users at sudo.ws>>
>     For list information, options, or to unsubscribe, visit:
>     http://www.sudo.ws/mailman/listinfo/sudo-users
>     <http://www.sudo.ws/mailman/listinfo/sudo-users>
>
>

More information about the sudo-users mailing list