[sudo-users] Howto prohibit /usr/bin/su command ?

Todd C. Miller Todd.Miller at courtesan.com
Thu Sep 10 08:59:00 EDT 2009


In message <535640.76403.qm at web25107.mail.ukl.yahoo.com>
	so spake Ahmed Karoumi (akaroumi):

> Is it possible to create a rule which is allow to run ALL unix commands but w
> ithout to switch to any users ?
> 
> I would prohibit the command /usr/bin/su and allow all other.

There is no reliable way to do this.  Any time you give someone
sudo ALL, you make it possible for them to run whatever they like,
regardless of any negations such as !/usr/bin/su.

All the user has to do is make a copy of the proscribed command and
run that, or write a script that invokes it, etc.  If you are
concerned about what users can run, only give them access to what
they need.

 - todd



More information about the sudo-users mailing list