[sudo-users] sudoers question: ALL - but restrict su -
charles at wozi.com
Thu May 29 20:31:41 EDT 2008
You can do something like
%admins ALL = ALL, !/bin/su, !/bin/vi /etc/sudoers, !/usr/sbin/
Where the "!" in front of the command alias or command says that you
won't allow them to run any commands listed in those aliases (and I
think ! works to negate most things). But keep in mind that a user
can still exec a shell that doesn't have the same file name as the one
listed in your list in sudoers, and gain a full root shell. As an
example, a user of mine copied /bin/bash to a file in their home dir
called "a.pl" and then executed that as the user giving them a full
shell as the user (even though I had given her su).
So keep in mind that giving them "ALL" does really give them access to
a big stick, which they can of course use to knock themselves
unconscious, as users are apt to do.
On May 29, 2008, at 4:50 PM, dave.parson at daimler.com wrote:
> I know this has been discussed before, but there seems to be more
> than one
> way to configure this - I would like to be a secure as possible.
> Problem: Allow a user ALL commands, but "not" allow a root shell
> later on don't allow vi as well). So commands like "su root" "su -"
> whould not be allowed, but all other commands would.
> Perhaps there is a better way than how I am trying to implement
> this ?.
> If you are not the intended addressee, please inform us immediately
> that you have received this e-mail in error, and delete it. We thank
> you for your cooperation.
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users