[sudo-users] "su" to any user BUT root + run any command without being prompted for password

Gonzalez, Aliep aliep.gonzalez at rbc.com
Fri May 4 14:22:30 EDT 2012 

Hello All,

Environment: RHEL6, native version of the sudo binary
(sudo-1.7.2p2-9.el6.x86_64).

I am trying to allow a certain group of users to be able to "su" to any
user on the system but to root. I also want those users to be able to
run any command on the system without being prompted for password.

The below entries seem to take care of restricting the "su" command:

Cmnd_Alias     SUROOT = /bin/su - root, /bin/su -, /bin/su$, /usr/bin/su
- root, /usr/bin/su -, /usr/bin/su$
Cmnd_Alias     SUOTHERS = /bin/su - [a-zA-Z0-9]*, /bin/su [a-zA-Z0-9]*,
/usr/bin/su - [a-zA-Z0-9]*, /usr/bin/su [a-zA-Z0-9]*
%mygroup        ALL= (ALL) NOPASSWD: SUOTHERS, !SUROOT

However, once I add the "(ALL) NOPASSWD: ALL" directive to the group as
shown below (so they can run all commands on the system); users are
allowed to run "sudo su":

%mygroup        ALL= (ALL) NOPASSWD: ALL, (ALL) NOPASSWD: SUOTHERS,
!SUROOT

"sudo su -", and "sudo su - root" are still been (correctly) denied.

Is this a known issue or rather a configuration problem? Any pointers on
how to make this work will be greatly appreciated.

Thanks in advance,
AG

_______________________________________________________________________

This email may be privileged and/or confidential, and the
sender does not waive any related rights and obligations.
Any distribution, use or copying of this email or the
information it contains by other than an intended recipient
is unauthorized. If you received this email in error,
please advise the sender (by return email or otherwise)
immediately. You have consented to receive the attached
electronically at the above-noted email address; please retain a
copy of this confirmation for future reference.

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce
pas aux droits et obligations qui s'y rapportent. Toute diffusion,
utilisation ou copie de ce courriel ou des renseignements qu'il
contient par une personne autre que le (les) destinataire(s)
désigné(s) est interdite. Si vous recevez ce courriel par erreur,
veuillez en aviser l'expéditeur immédiatement, par retour de courriel
ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s)
ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus;
veuillez conserver une copie de cette confirmation pour les fins de reference future.

More information about the sudo-users mailing list