[sudo-users] Alias question

Galen Johnson Galen.Johnson at sas.com
Fri Sep 7 12:22:36 EDT 2007

Why not just disable su entirely and handle it all via sudo...once they
are su'd you lose all trackability.  We typically disable su and the
shells (so -s doesn't work).


-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of jifan sun
Sent: Friday, September 07, 2007 10:42 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Alias question

We have several levels of admins at our sites. One requirment thats been
requested is that
  the level1 admins only be allowed to sudo to non-root account, and
also not be able to sudo to any higher level admin accounts.
  I took the example on the webstite.
  john           ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
  1st modification, works just as expected. i.e. LVL1ADMIN is able to
sudo to any user other than root or john.
  LVL1ADMIN       ALL  = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
*root*, !/usr/bin/su john
  Level 3 admins are identified as the ADMINS alias.
  LVL1ADMIN       ALL  = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su
*root*, !/usr/bin/su *ADMINS*
  This doesn't work; I've tried several modifications to the above,
however so far I've not been able to determine the exact syntax, if this
is even possible to to, without explicitly listing each userid within
the ADMINS group with !/usr/bin/su
  The reasoning behind the requirement, is that some are concerned that
somehow LVL1ADMIN will be able to aquire the privledges of the ADMINS
group; I've already demonstrated that this is not really possible,
however that doesn't mean they're going to change the requirement.
  Thanks in advance!

Looking for a deal? Find great prices on flights and hotels with Yahoo!
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

More information about the sudo-users mailing list