[sudo-users] allow / deny su
jan.albrecht at gmail.com
Fri Oct 20 04:22:42 EDT 2006
I had to adopt your example, but know it seems to work.
Thanks for your help!
But just one question: Is there a way to get rid of the
[a-zA-Z][a-z0-9A-Z] definitions? Can there a %usergroup be placed?
Michael Potter wrote:
> I recently posted this for a similar problem:
> These rules:
> pottmi ALL=(!root)/usr/bin/su$
> pottmi ALL=(root)/usr/bin/su - [a-zA-Z][a-z0-9A-Z]*
> pottmi ALL=(!root)/usr/bin/su -
> pottmi ALL=(!root)/usr/bin/su - root
> lead to this behavior on my mac OS X 10.4, Sudo version 1.6.8p9:
> localhost:~ pottmi$ sudo su - mruser
> localhost:~ mruser$ exit
> localhost:~ pottmi$ sudo su -
> Sorry, user pottmi is not allowed to execute '/usr/bin/su -' as root
> on localhost.
> localhost:~ pottmi$ sudo su - root
> Sorry, user pottmi is not allowed to execute '/usr/bin/su - root' as
> root on localhost.
> localhost:~ pottmi$ sudo su
> Sorry, user pottmi is not allowed to execute '/usr/bin/su' as root on
> localhost:~ pottmi$
> Which is my interpretation of what you want. If that is not what you
> are after please post the commands that you want to allow and disallow.
> I think !ALL would work as well as or better than !root in the Runas
> area of the authorization rule.
> Also, I still have the feeling that there is a security hole in this.
> I would say you would probably be better served with a wrapper script
> that would only invoke su - on the appropriate users, maybe designated
> by their membership in the "staff" group.
> sudoers file:
> User_Alias PROGRAMMERS=prog1, prog2, prog3
> PROGRAMMERS ALL=(root)suuser
> source for suuser (not debugged):
> if (( $# != 1 ))
> echo "usage: suuser username"
> exit 1
> /usr/bin/groups $1 |/usr/bin/grep staff
> if (( $? != 0 )
> echo "$1 not a member of staff"
> exit 1
> su - $1
> On 10/19/06, *Jan Albrecht* <jan.albrecht at gmail.com
> <mailto:jan.albrecht at gmail.com>> wrote:
> Hi all,
> maybe anyone of you has an idea:
> I wan't to allow some of my users to change users via su (to
> their own users) but not change via su to root shell.
> Now if I use this command alias:
> Cmnd_Alias SU = !/bin/su, /bin/su %group, /bin/su - %group,
> !/bin/su - root, !/bin/su root, !/bin/su -
> it does not work.
> In this case no su command is allowed (which does make sense as I
> disallowed su) but in all other combinations it worked except for
> -u root su". su assumes in this case root and switches to root shell.
> And thats what I want to prevent.
> Has anyone an idea how to solve this? Or maybe has an another idea?
> sudo-users mailing list < sudo-users at sudo.ws
> <mailto:sudo-users at sudo.ws>>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users