[sudo-users] Disallow User switching in Group
Patrik Peng
patrik.peng at hostpoint.ch
Tue Nov 16 03:19:47 MST 2021
Greetings all
We would like to enable sudo I/O logging for specific users spread over
multiple hosts.
For this to work, a users (member of group `sudo-iolog`) login shell is
set to a wrapper, which executes e.g. /bin/bash via `sudo -E -u
{{login_user}} /bin/bash -l`.
This way, a users entire session is neatly recorded.
To keep the sudoers config as generic as possible, the following config
was created:
%sudo-iolog ALL=(%sudo-iolog) SETENV: NOPASSWD: LOG_INPUT: LOG_OUTPUT: /bin/bash, /usr/bin/bash, /usr/local/bin/bash
...
This way, to enable I/O logging for a user, he just needs to be in the
`sudo-iolog` group and have the correct login-shell.
As you might have guessed, this config allows `user1` in the
`sudo-iolog` group to switch to `user2` in the same group with `sudo -u
sudotest2 /bin/bash`.
Is there any way to match all users in group `%sudo-iolog` but restrict
the `-u` option to the user calling `sudo` without explicitly writing
the username in the config?
Regards
Patrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://www.sudo.ws/pipermail/sudo-users/attachments/20211116/b59355bf/attachment.bin>
More information about the sudo-users
mailing list