[sudo-users] Disabling "sudo su" but allow everything else?

Rick_Steele at oxy.com Rick_Steele at oxy.com
Mon Aug 2 13:04:38 EDT 2010 

This works for me. See the entries for "RSS-TAW" and "LOCALACCTS".  We use Centrify here and the RSS-TAW is a group of AD Accounts.





Cmnd_Alias RESTRICTED= /bin/vi /etc/sudoers, /bin/su - root, /bin/su - , /usr/sbin/visudo
Cmnd_Alias SHELLS= /bin/sh, /bin/ksh, /bin/bash, /bin/zsh, /bin/csh, /bin/tcsh, /usr/bin/login, /usr/bin/su
Defaults  mailto="Linux_Unix_Admin at oxy.com"
Defaults  mail_no_perms
Defaults  mail_no_user
Defaults  mailerpath=/usr/sbin/sendmail
Defaults  mailsub="*** executed command via sudo on %h ***"
Defaults  mailerflags="-t"
%admin          ALL=(ALL)   ALL
User_Alias      LOCALACCTS = xxxxxxx
LOCALACCTS      ALL = NOPASSWD: ALL , !SHELLS, !RESTRICTED
##ohollic1
%RSS-TAW   ALL=(ALL)   ALL , !SHELLS, !RESTRICTED 


Rick Steele 
Consultant, Enterprise Server Operations
OXY Inc. 
713-215-7836 Office; 832-744-5824 Cell, 713-215-7170 FAX
THIS COMMUNICATION IS ONLY FOR THE USE OF THE INTENDED RECIPIENT. IT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF OCCIDENTAL PETROLEUM CORPORATION OR ITS AFFILIATED CORPORATIONS. UNAUTHORIZED USE, DISTRIBUTION, OR DISCLOSURE IS PROHIBITED. IF YOU ARE NOT THE INTENDED RECIPIENT PLEASE NOTIFY THE SENDER.


-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jimmy Crackcorn
Sent: Monday, August 02, 2010 11:59 AM
To: sudo-users at sudo.ws
Subject: [sudo-users] Disabling "sudo su" but allow everything else?

I know it's not the preferred way to go about doing things but I've
got a group of people that ssh into systems with a designated user
account and I want to allow them to do everything on the system other
than doing a 'sudo su' and 'sudo su -'.  I've tried the following but
can't seem to get it to work:

  User_Alias      OKGUYS = userone, usertwo
  Cmnd_Alias NON=!/usr/bin/sudo su, !/usr/bin/sudo su -
  OKGUYS ALL = NOPASSWD: ALL, NON

Is there a way to actually do this?

Cheers!
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list