[sudo-users] Re : Howto prohibit /usr/bin/su command ?

Ahmed Karoumi akaroumi at yahoo.com
Fri Sep 11 05:38:06 EDT 2009


Hello Todd,

It's true you are right.

but difficult to get for many teams the list of commands that they really need.
It's a big challenge !

Thanks for your help.

 
-- 
Cordialement,
Ahmed Karoumi
________________________________________
Couriel: akaroumi at yahoo.com
GPG 0x06F109D9 / PGP 0x479AF9BE06F109D9
_________________________________________



----- Message d'origine ----
> De : Todd C. Miller <Todd.Miller at courtesan.com>
> À : Ahmed Karoumi <akaroumi at yahoo.com>
> Cc : sudo-users at sudo.ws
> Envoyé le : Jeudi, 10 Septembre 2009, 14h59mn 00s
> Objet : Re: [sudo-users] Howto prohibit /usr/bin/su command ? 
> 
> In message <535640.76403.qm at web25107.mail.ukl.yahoo.com>
>     so spake Ahmed Karoumi (akaroumi):
> 
> > Is it possible to create a rule which is allow to run ALL unix commands but w
> > ithout to switch to any users ?
> > 
> > I would prohibit the command /usr/bin/su and allow all other.
> 
> There is no reliable way to do this.  Any time you give someone
> sudo ALL, you make it possible for them to run whatever they like,
> regardless of any negations such as !/usr/bin/su.
> 
> All the user has to do is make a copy of the proscribed command and
> run that, or write a script that invokes it, etc.  If you are
> concerned about what users can run, only give them access to what
> they need.
> 
> - todd



      




More information about the sudo-users mailing list