[sudo-users] Sudo su

terry at remote-shell.org terry at remote-shell.org
Fri Jun 29 12:41:42 MDT 2018 

I like to use a construct like the following. Its quite flexible, and  
makes for a good baddest o expand upon as needed in the future.


Host_Alias PRD_H = prodhost1,prodhost2
Host_Alias DEV_H = devhost1,devhost2

Runas_Alias PRD_A = prodappid
Runas_Alias DEV_A = devappid

User_Alias USERS = %somegroupname

Cmnd_Alias INIT = /sbin/service foo restart
    /sbin/systemctl restart bar

Cmnd_Alias BIN = /bin/kill, /sbin/reboot, /bin/traceroute

Cmnd_Alias APPID_SHELL = /bin/bash

USERS DEV_H,PRD_H = (root) _INIT, _BIN

USERS DEV_H = (DEV_A) APPID_SHELL
USERS PRD_H = (PRD_A) APPID_SHELL





Quoting Shawn McMahon <syberghost at gmail.com>:

> Don't try blacklisting, it doesn't work. Give it a rule to become any
> account in a certain group, and add accounts to that group as needed.
>
> Or please remove all my personal information from your systems, because I
> don't want it there if you're doing blacklisting. It can't work. Please
> don't be lazy with my personal information.
>
>
> On Fri, Jun 29, 2018 at 1:14 PM Price, Dean <dprice1 at metlife.com> wrote:
>
>> Folks,
>>                 I know giving sudo su - is a bad idea, but we have an
>> automated tool that will need to sudo su to multiple accounts but we want
>> to restrict is from being able to su to root. How could I allow su to any
>> id but root?
>>
>> Thank you,
>> Dean A. Price, CISSP
>> MetLife - IT Security Consultant
>> dprice1 at metlife.com<mailto:dprice1 at metlife.com>
>> 570-585-3407
>>
>> The information contained in this message may be CONFIDENTIAL and is for
>> the intended addressee only. Any unauthorized use, dissemination of the
>> information, or copying of this message is prohibited. If you are not the
>> intended addressee, please notify the sender immediately and delete this
>> message.
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> https://www.sudo.ws/mailman/listinfo/sudo-users
>>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list