Originally Posted by techux
Thanks. I would check that.
I found sudo, it could work for the moment.
but is there any way to allow all commands and forbid users using sudo -i, or -s or sudo su...
some users will need access to root commands... while they use sudo we can track what commands they execute... but if they switch to root using sudo -i or sudo su, it would be more difficult to track..
Make the use of aliases and deny that functionality.
Something like this...
Cmnd_Alias SHELLS = /bin/bash, /bin/tcsh, /bin/csh, /bin/zsh, /bin/ksh, /bin/sh
%admins ALL=(ALL) ALL,!SHELLS
user1 ALL=(ALL) ALL,!SHELLS
This will allow you to run all commands...but not drop into a shell.
Although this isn't recommended. The recommended way is to choose a finite list of commands to allow to run. "ALL" isn't good practice.
For instance...even with the above configuration...I can do this.
Then all I need to do is
And it'll drop me into a root shell.