[sudo-users] su except root

Wed Jul 8 07:10:32 EDT 2009

Your approach may be a little open to abuse with people able to simply copy su to another name and then call that with "sudo cp -p /usr/bin/su ./mysu; sudo mysu -" or similar.

Another way (not perfect either) is to edit /.profile (assuming you're using sh, ksh, bash etc.) so trace the caller, something like:-

	#!/bin/ksh
	# root's .profile

	ps -o user=,tty=,ppid= -p $$|read uid tid ppid
	if [ "$tid" != "${tid#pts}" -o "$tid" != "${tid#tty}" ]		<--- See below
	then
		who -i|grep "$tid "|read rid b c d e f lpid rest
		ps -o user=,ppid=,args= -p $ppid|read cid cpid cargs
		if [ `grep -c "$cid" /etc/rootusers.allowed` -ne 1 ]
		then
			echo "Not allowed access to login as root."
			# Write attempt in your security log with info collected above
			exit
		fi
	fi

	# Carry on with .profile here

You need to edit the "if" to capture your terminal definition style, e.g. pts/1, ttyAA/AA11 or whatever.  Make sure that you allow direct console login as a fallback.  Test it very thoroughly and consider what will happen in a boot when the profile is read.

This is quickly cobbled together and not tested, so no liability is accepted.

Of course, it can still be hacked round by altering the /etc/rootusers.allowed.  Perhaps the best way would be to specifically allow what is acceptable rather than trying to have a blanket grant and the prevent what you don't want the to do.  Shared accounts are always a bad idea as you lose the accountability anyway.  How do you square it with the auditors?  The shared accounts might be okay if you script everything and then allow users to call the script and don't let them enter arbitrary commands.

Robin
Unisys, Liverpool

-----Original Message-----
From: Thornton, Don [mailto:Don.Thornton at stvin.org] 
Sent: Monday, July 06, 2009 5:20 PM
To: sudo-users at sudo.ws
Subject: [sudo-users] su except root

Add the folling lines (visudo) to your /etc/sudoers file: 

User_Alias  NON_ROOT = APistocc, DThornto

Cmnd_Alias  SU_TO_ROOT = /usr/bin/su, /usr/bin/su -, /usr/bin/su root, /usr/bin/su - root

NON_ROOT    ALL=(ALL) ALL, !SU_TO_ROOT

Don Thornton Jr.
The Unix System Administrator
St. Vincent Regional Medical Center
455 St. Michaels Dr.
Santa Fe, NM 87505
Wrk: 505-913-4875
Fax: 505-913-4957

On 10/5/06, ANDREW PISTOCCHI <APISTOCCHI at ut.edu> wrote:
>
> I have users able to su - as another user using sudo but how can I 
> exclude them from root?  I want them to be able to sudo su as any user 
> except root.  Right now if they type: sudo su and hit <Enter> they get 
> the root # prompt.  I don't want this.
>
>
>
> Is there an easy way to allow them to su to all users except root?
>
>
>
> Andy Pistocchi
>
> apistocch at ut.edu
>
> 813-258-7422
>
> The University of Tampa
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, 
> options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

***********************************

This email is sent in confidence for the addressee only.

Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer.

We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents.

Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry

Unisys Insurance Services Limited Registered in England No. 4087012
Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG