[sudo-users] Disabling "sudo su" but allow everything else?

Jimmy Crackcorn jimmy.cr4ckc0rn at gmail.com
Mon Aug 2 14:50:37 EDT 2010 

Perfect, thanks Rick!

On Mon, Aug 2, 2010 at 11:04,  <Rick_Steele at oxy.com> wrote:
> This works for me. See the entries for "RSS-TAW" and "LOCALACCTS".  We use Centrify here and the RSS-TAW is a group of AD Accounts.
>
>
>
>
>
> Cmnd_Alias RESTRICTED= /bin/vi /etc/sudoers, /bin/su - root, /bin/su - , /usr/sbin/visudo
> Cmnd_Alias SHELLS= /bin/sh, /bin/ksh, /bin/bash, /bin/zsh, /bin/csh, /bin/tcsh, /usr/bin/login, /usr/bin/su
> Defaults  mailto="Linux_Unix_Admin at oxy.com"
> Defaults  mail_no_perms
> Defaults  mail_no_user
> Defaults  mailerpath=/usr/sbin/sendmail
> Defaults  mailsub="*** executed command via sudo on %h ***"
> Defaults  mailerflags="-t"
> %admin          ALL=(ALL)   ALL
> User_Alias      LOCALACCTS = xxxxxxx
> LOCALACCTS      ALL = NOPASSWD: ALL , !SHELLS, !RESTRICTED
> ##ohollic1
> %RSS-TAW   ALL=(ALL)   ALL , !SHELLS, !RESTRICTED
>
>
> Rick Steele
> Consultant, Enterprise Server Operations
> OXY Inc.
> 713-215-7836 Office; 832-744-5824 Cell, 713-215-7170 FAX
> THIS COMMUNICATION IS ONLY FOR THE USE OF THE INTENDED RECIPIENT. IT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF OCCIDENTAL PETROLEUM CORPORATION OR ITS AFFILIATED CORPORATIONS. UNAUTHORIZED USE, DISTRIBUTION, OR DISCLOSURE IS PROHIBITED. IF YOU ARE NOT THE INTENDED RECIPIENT PLEASE NOTIFY THE SENDER.
>
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jimmy Crackcorn
> Sent: Monday, August 02, 2010 11:59 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Disabling "sudo su" but allow everything else?
>
> I know it's not the preferred way to go about doing things but I've
> got a group of people that ssh into systems with a designated user
> account and I want to allow them to do everything on the system other
> than doing a 'sudo su' and 'sudo su -'.  I've tried the following but
> can't seem to get it to work:
>
>  User_Alias      OKGUYS = userone, usertwo
>  Cmnd_Alias NON=!/usr/bin/sudo su, !/usr/bin/sudo su -
>  OKGUYS ALL = NOPASSWD: ALL, NON
>
> Is there a way to actually do this?
>
> Cheers!
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>

More information about the sudo-users mailing list