[sudo-users] allow / deny su

Jan Albrecht jan.albrecht at gmail.com
Mon Oct 23 02:39:36 EDT 2006

On 10/20/06, Michael Potter <pottmi at gmail.com> wrote:
> Jan,
> There is no way to put %usergroup in a command definition with the intent of
> restricting an argument to a set of users.  However, if you use the wrapper
> script that I also posted you can do all kinds of good things.

unfortunately it is not possible for me to install such a wrapper as
this is no know way for security audits. If you have to deal with
audits from the payment card industry, you have to use well known
paths not on meter beneath ist ;-)
But thanks for your help in this case.

> There seems to be some resistance to using the wrapper script by you and the
> previous poster. Can you tell me why?  I would like to improve the script if
> there is something unacceptable about it.

I would love to, but my customers and their auditors are the point why
not using it.

> Maybe there is such a demand to a su wrapper that it should be built into
> sudo much like sudoedit.  Tom, are you listening? ;).

A real good way would be if I could create a automatic relink in sudo:
If a user wants to use sudo, the sudoers file denys it and relinks the
user to script, which is controlled by sudo and provides more efficent


More information about the sudo-users mailing list