[sudo-users] preventing user "bob" from executing sudo at all

Matthew Hannigan mlh at zip.com.au
Tue Mar 2 21:18:51 EST 2010

On Wed, Mar 03, 2010 at 11:45:09AM +1000, Felipe Alvarez wrote:
> Hi list
> I want to prevent 'bob' from using sudo entirely. What should I type
> into /etc/sudoers (via visudo)? I want 'bob' to never gain root
> privileges, never use 'su', and never run anything as root user.
> Perhaps not related to sudo but ... If possible, I'd also like to
> prevent 'bob' from running mount, passwd, or any setUID program.

sudo doesn't deny, it only allows.

So the answer is nothing - you cannot stop evil bob from running su for instance.

Well you can, but that would involve, say removing execution bits for "other"
on all (setuid) executables, and putting everyone else into a group
which are allowed to execute them.

The real answer is type enforcement (selinux/flask etc)
Theree are some existing commercial systems that do this.

Often the overhead in complexity far outweighs the benefit.

What did bob do to deserve this anyway?


More information about the sudo-users mailing list