configuring sudo access for some users

John Summerfield debian at
Fri Nov 30 22:34:07 UTC 2007

ankush grover wrote:
> Hi friends,
> I want to configure sudo access for some users on my system. I am currently
> using FC7 on my system. What they require (I mean users) is to do all the
> things except they cannot su/su- to become anyother user or root user, they

If you try to say they can do everything except ... London to a brick 
you will forget something.

If you say that can do these things [ ... ] then probably you will 
forget something too, but you will not have so much worry about them 
doing something they ought not.

You can probably further constrain them using selinux; you don't want 
them using anything that opens (for example) /etc/passwd or /etc/shadow 
or /etc/inittab for output.

You don't want them running any shells (so no sudo -i) unless you have 
them thoroughly constrained with selinux.

If they can sit at the console and boot manually, you have some problems 
to solve.

For example.
Can someone boot unauthorised media?
-- I could run Knoppix

Can users get a grub commandline?
Can users edit the grub boot menu?
-- allows access to a shell prompt
kernel /vmlinuz-2.6.18-8.1.15.el5 \
   ro root=/dev/VolGroup00/LogVol00 init=/bin/bash

otoh if you've lost a fight with the proverbial bus, then someone may 
well need to do one of these.

> should not be able to change anybody's password or atleast root's password,
> cannot modify /etc/sudoers and  etc/pam.d/su files . I have a script which
> can extract all commands issued with "sudo" but if these users become root
> then I won't be able to know who has done what.

AFAIK anyone who can modify the user base can add a "root" user.

Log to another machine, where they cannot interfere with the logs.

> I have already restricted su/su - access by editing /etc/pam.d/su  and
> uncommenting the below line:
> # Uncomment the following line to require a user to be in the "wheel" group.
> auth            required use_uid
> Authentication on my system is done through LDAP but also Use MD5, Use
> Shadow and Local Authorization is sufficient options are enabled so that
> local user for ex myself can login without authenticating to LDAP. Users for
> which i want to configure sudo access will all be authenticated through
> Currently I have added these 2 lines in /etc/sudoers (I used visudo command
> to edit this file)
> test ALL=(ALL) ALL, !/usr/bin/su
> test2 ALL=(ALL) ALL, !/usr/bin/su

You forgot runuser which goes to illustrate my point.

What about the user who writes this program and runs it with su?

07:30 [summer at numbat ~]$ echo exec -l /bin/csh | tee bin/fakeshell
exec -l /bin/csh
07:31 [summer at numbat ~]$ chmod +x bin/fakeshell
07:31 [summer at numbat ~]$ bin/fakeshell
[summer at numbat ~]$ logout
07:31 [summer at numbat ~]$

Note the shell prompt changed.

> Both test and test2 are able to become root when they use "sudo su - " but
> they are not able to become root user when they issue "su -". How do I
> restrict these users not to become root or any other user through sudo su -
> and also these users should not able to change their or other users
> passwords on this system.
> Thanks & Regards
> Ankush Grover



-- spambait
1aaaaaaa at  Z1aaaaaaa at
-- Advice

You cannot reply off-list:-)

More information about the fedora-list mailing list