[sudo-users] Re : Howto prohibit /usr/bin/su command ?

[Ahmed Karoumi]

Hello Philippe,

Yes you are right it's working too in my environment.

But the main issue that I have is if I implement this rules:
1. sudocommand=!/usr/bin/su        here the command is prohibited
2. sudocommand=ALL                  all others are authorized

but every system administrator with good skill can bypass this by:
a) make a copy of the command /usr/bin/su in other path
b) using a combination of sudo code as this: sudoA sudoB su - root
c) using other weakness of the sudo code

the right method rules should be:
1. sudocommand=!ALL                    I start before by all unix commands are prohibited
2. sudocommand=/usr/sbin/bootinfo   then this command is authorized
3. sudocommand=....                         then this also...

but there are more then 1000 commands in unix system there for many lines :-(

Thanks.-- 
Cordialement,
Ahmed Karoumi
________________________________________
Couriel: akaroumi at yahoo.com

GPG 0x06F109D9 / PGP 0x479AF9BE06F109D9
_________________________________________


>
>De : Philippe Caseiro <caseiro.philippe at gmail.com>
>À : Ahmed Karoumi <akaroumi at yahoo.com>
>Cc : sudo-users at sudo.ws
>Envoyé le : Jeudi, 10 Septembre 2009, 14h23mn 45s
>Objet : Re: [sudo-users] Howto prohibit /usr/bin/su command ?
>
>Hello
>
>   like "!/usr/bin/su" It works on my LDAP stored configuration.
>
>Regards
>--
>Philippe Caseiro
>
>
>2009/9/9 Ahmed Karoumi <akaroumi at yahoo.com>
>
>Hello,
>>
>>>>Is it possible to create a rule which is allow to run ALL unix commands but without to switch to any users ?
>>
>>>>I would prohibit the command /usr/bin/su and allow all other.
>>>>Thanks for you help.
>>
>>
>>>>--
>>>>Regards,
>>>>Ahmed Karoumi
>>
>>
>>
>>
>>
>>>>____________________________________________________________
>>>>sudo-users mailing list <sudo-users at sudo.ws>
>>>>For list information, options, or to unsubscribe, visit:
>>http://www.sudo.ws/mailman/listinfo/sudo-users
>>
>
>
>-- 
>Philippe Caseiro
>
>