LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Preventing Sudoers from doing sudo su
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-13-2007, 02:18 PM   #1
DejaCpp
LQ Newbie
 
Registered: Jul 2006
Posts: 7

Rep: Reputation: 0
Question Preventing Sudoers from doing sudo su

1. Is there a way to prevent someone that I have given sudo privilege to from doing 'sudo su'.

2. Do all of the editors in Linux have a way for a savvy user to escape to a shell and then get root access?
 
Old 12-13-2007, 03:01 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 281Reputation: 281Reputation: 281
Typically, you should do it by only giving them access to the few commands they need, instead of ALL=ALL. I think the NOEXEC root option in the sudoers file will prevent root from being used with sudo.
 
Old 12-13-2007, 03:20 PM   #3
forrestt
Senior Member
 
Registered: Mar 2004
Location: Cary, NC, USA
Distribution: Fedora, Kubuntu, RedHat, CentOS, SuSe
Posts: 1,288

Rep: Reputation: 99
There are other things that need to be stopped as well. For example vi can give a shell (or you can update the sudoers file). Firefox can save files to and overwrite the sudoers file (there are many other ways to skirt the issue). Your best bet if you can't trust the people you are giving sudo rights to is to make a whitelist of things they CAN do, not a blacklist of things they can't.

HTH

Forrest
 
Old 12-13-2007, 03:41 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
+1

Give sudoer access only for what should be allowed. (So that all else is denied by default.) You don't want to get into the blacklist game in this case; there are too many apps that may allow one to run shell commands.
 
Old 12-22-2007, 04:47 AM   #5
prasanta
Member
 
Registered: Mar 2005
Location: India
Distribution: Debian
Posts: 368

Rep: Reputation: 37
Quote:
Originally Posted by DejaCpp
1. Is there a way to prevent someone that I have given sudo privilege to from doing 'sudo su'.
The following should suffice I think,

User_Alias PART_ADMINS = prasanta
PART_ADMINS ALL = !SU, !/usr/bin/sudo -s, !/usr/bin/passwd root

--
Prasanta
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Quick how-to sudoers file (sudo command) LXer Syndicated Linux News 0 11-25-2007 01:50 AM
sudo not working, sudoers edited DIGITAL39 Linux - Newbie 2 12-18-2006 06:59 AM
Configuring SUDO for users, a.k.a. sudoers Micro420 Linux - Newbie 10 04-21-2006 11:12 PM
Sudo password for users, a.k.a. sudoers Micro420 SUSE / openSUSE 2 04-21-2006 09:23 PM
sudo and sudoers syntax mikemrh9 Linux - Security 7 06-04-2005 07:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:00 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration