Sudo & su
Carville, Stephen
scarville at LANDAM.com
Sat Nov 3 20:51:00 UTC 2007
> A user with sudoer privileges is able to get root using "sudo su -". I
> find this extremely irritating. I prefer to keep access to root limited
> number of administrators in my organisation, but the applications
> running on the system require the application owners to be able to run
> root only commands. It seems this be a global behavior, I have seen it
> on RHEL, Fedora and AIX5.3.
> Is there a way to force the system to request for the root password? Or
> restrict 'sudo' users from using 'su'?
Do not give it all then try to deny certain commands. Any reasonably smart use
can defeat that. Start with nothing and allow only what is necessary.
An example:
User_Alias WEBADMINS = fbar,jblow
Cmnd_Alias SERVICE = /sbin/service
Cmnd_Alias WEBME = /bin/su [-] wwwadmin
Cmnd_Alias KILL = /bin/kill
Cmnd_Alias GUNZIP = /bin/gunzip
Cmnd_Alias GREP = /bin/grep
Cmnd_Alias LESS = /usr/bin/less
Host_Alias DMZ = web1,web2,app1,app2
WEBADMINS DMZ = WEBME,SERVICE,KILL,LESS,GREP,GUNZIP,(wwwadmin)ALL
--
Stephen
More information about the redhat-list
mailing list