[sudo-users] How to Block with wildcards: sudo su?
Shawn McMahon
syberghost at gmail.com
Fri May 18 16:44:38 EDT 2012
That's a bad idea in general, since it's trivial to circumvent. Better would be:
ORACLE_BDA SERVERS_DB = (oracle) ALL
..and then teach them to run:
sudo -iu oracle
...in the rare instance they ACTUALLY need "su - oracle", and more often:
sudo -iu oracle /path/to/some/command
I'd probably also look at adding log_output to that rule.
On Fri, May 18, 2012 at 3:14 PM, Jose <j.sejo1 at gmail.com> wrote:
> Hello
>
> I am configured sudo on AIX (Unix IBM). sudo with wildcards
>
>
> The users administrator oracle, because not using root.
>
> ORACLE_BDA SERVERS_DB = NOPASSWD: ALL, !/usr/bin/ksh, !/usr/bin/bash,
> !/usr/bin/vi /etc/sudoers, !/usr/sbin/visudo, !/usr/bin/smit, !/usr/b
> in/smitty, !/usr/bin/* root, !/usr/bin/* bash, !/usr/bin/* ksh, etc etc etc.
>
>
> It is block: sudo visudo, sudo root passwd, sudo bash, sudo ksh, sudo
> -s, edit visudo, etc etc.
>
> But no: sudo su and the users swith how root
>
> My Answers:
>
> How block "sudo su" on sudoers?
>
> !/usr/bin/su ===> NO
>
> because The users need: sudo su oracle
>
> Thanks.
>
> Sorry for my english.
>
>
> --
> #############################
> # Sistema Operativo: Debian #
> # Caracas, Venezuela #
> #############################
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list