[sudo-users] Disabling "sudo su" but allow everything else?
jimmy.cr4ckc0rn at gmail.com
Mon Aug 2 14:50:37 EDT 2010
Perfect, thanks Rick!
On Mon, Aug 2, 2010 at 11:04, <Rick_Steele at oxy.com> wrote:
> This works for me. See the entries for "RSS-TAW" and "LOCALACCTS". We use Centrify here and the RSS-TAW is a group of AD Accounts.
> Cmnd_Alias RESTRICTED= /bin/vi /etc/sudoers, /bin/su - root, /bin/su - , /usr/sbin/visudo
> Cmnd_Alias SHELLS= /bin/sh, /bin/ksh, /bin/bash, /bin/zsh, /bin/csh, /bin/tcsh, /usr/bin/login, /usr/bin/su
> Defaults mailto="Linux_Unix_Admin at oxy.com"
> Defaults mail_no_perms
> Defaults mail_no_user
> Defaults mailerpath=/usr/sbin/sendmail
> Defaults mailsub="*** executed command via sudo on %h ***"
> Defaults mailerflags="-t"
> %admin ALL=(ALL) ALL
> User_Alias LOCALACCTS = xxxxxxx
> LOCALACCTS ALL = NOPASSWD: ALL , !SHELLS, !RESTRICTED
> %RSS-TAW ALL=(ALL) ALL , !SHELLS, !RESTRICTED
> Rick Steele
> Consultant, Enterprise Server Operations
> OXY Inc.
> 713-215-7836 Office; 832-744-5824 Cell, 713-215-7170 FAX
> THIS COMMUNICATION IS ONLY FOR THE USE OF THE INTENDED RECIPIENT. IT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF OCCIDENTAL PETROLEUM CORPORATION OR ITS AFFILIATED CORPORATIONS. UNAUTHORIZED USE, DISTRIBUTION, OR DISCLOSURE IS PROHIBITED. IF YOU ARE NOT THE INTENDED RECIPIENT PLEASE NOTIFY THE SENDER.
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jimmy Crackcorn
> Sent: Monday, August 02, 2010 11:59 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Disabling "sudo su" but allow everything else?
> I know it's not the preferred way to go about doing things but I've
> got a group of people that ssh into systems with a designated user
> account and I want to allow them to do everything on the system other
> than doing a 'sudo su' and 'sudo su -'. I've tried the following but
> can't seem to get it to work:
> User_Alias OKGUYS = userone, usertwo
> Cmnd_Alias NON=!/usr/bin/sudo su, !/usr/bin/sudo su -
> OKGUYS ALL = NOPASSWD: ALL, NON
> Is there a way to actually do this?
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users