[sudo-users] su except root

Nick Hasser nick.hasser at gmail.com
Tue Jul 7 16:28:36 EDT 2009


Thornton, Don wrote:
> Add the folling lines (visudo) to your /etc/sudoers file: 
> 
> User_Alias  NON_ROOT = APistocc, DThornto
> 
> Cmnd_Alias  SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su root,
> /usr/bin/su - root
> 
> NON_ROOT    ALL=(ALL) ALL, !SU_TO_ROOT
>

I'm fairly new to configuring sudo, so maybe I'm missing something here,
but this does not prevent me from su'ing to root since I can:

$ cp /usr/bin/su $HOME/su
$ cd $HOME
$ sudo ./su -

The more secure implementation would to be whitelist a set of commands
instead of blacklisting the su command, correct?

Nick



More information about the sudo-users mailing list