[sudo-users] sudoers question: ALL - but restrict su -

Charles Marshall charles at wozi.com
Thu May 29 20:31:41 EDT 2008

You can do something like

%admins        ALL = ALL, !/bin/su, !/bin/vi /etc/sudoers, !/usr/sbin/ 
visudo, !/bin/bash

Where the "!" in front of the command alias or command says that you  
won't allow them to run any commands listed in those aliases (and I  
think ! works to negate most things).  But keep in mind that a user  
can still exec a shell that doesn't have the same file name as the one  
listed in your list in sudoers, and gain a full root shell.  As an  
example, a user of mine copied /bin/bash to a file in their home dir  
called "a.pl" and then executed that as the user giving them a full  
shell as the user (even though I had given her su).

So keep in mind that giving them "ALL" does really give them access to  
a big stick, which they can of course use to knock themselves  
unconscious, as users are apt to do.

Good Luck,

On May 29, 2008, at 4:50 PM, dave.parson at daimler.com wrote:
> I know this has been discussed before, but there seems to be more  
> than one
> way to configure this - I would like to be a secure as possible.
> Problem:  Allow a user ALL commands, but "not" allow a root shell  
> (perhaps
> later on don't allow vi as well).  So commands like "su root" "su -"  
> "su"
> whould not be allowed, but all other commands would.
> Perhaps there is a better way than how I am trying to implement  
> this ?.
> David
> If you are not the intended addressee, please inform us immediately  
> that you have received this e-mail in error, and delete it. We thank  
> you for your cooperation.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list