Blocking access on a particular app (via sudo)

Harlin · 10-20-2006, 08:39 AM

I would like to block anyone from using 'su' across the board for anyone in the sudoers file. How do I do this?

Thanks,

Harlin Seritt

jstephens84 · 10-20-2006, 04:37 PM

http://www.unet.univie.ac.at/aix/cmd...ds1/chuser.htm this looked like what you might need.

gilead · 10-21-2006, 02:34 AM

I could be misinterpreting your question, but su and sudo are very different things. The easiest way to limit su usage is in the /etc/suauth file. The man page has more info...

Harlin · 10-21-2006, 07:38 AM

Yes they are different. What I'm wondering is how can you stop anyone from doing this successfull:
# sudo su

?

Thanks for the help!

Harlin

Harlin · 10-21-2006, 07:40 AM

Oh sorry meant to include this in the post... there isn't a suauth file in /etc/ on my box.

jstephens84 · 10-21-2006, 01:59 PM

Never really done anything like this before but couldn't you find the command and just change the permissions on the su command. So that is not executable.

gilead · 10-21-2006, 02:30 PM

Quote:

Originally Posted by Harlin

Oh sorry meant to include this in the post... there isn't a suauth file in /etc/ on my box.

That's not a problem - there wasn't one on mine either. Once I created it, it was used by su.

Harlin · 10-21-2006, 02:41 PM

What kind of entries should i put in suauth to make this work?

thanks,

Harlin

gilead · 10-21-2006, 02:51 PM

The easies method is a default deny and only allow specific users. For example, to only allow the user steve to su to root:

Code:

root:ALL EXCEPT steve:DENY

I also have the permissions set so that only the root user can view/modify the file:

Code:

$ ls -l /etc/suauth
-rw-r----- 1 root root 27 2006-08-20 19:22 /etc/suauth

Users can still su to other users with this particular configuration - I only limit being able to su to root.

Harlin · 10-22-2006, 08:07 AM

Hey thanks!! One thing I'm wondering: if i'm wanting to deny many users besides Steve, how would I delimit the entries? comma? space?

Thanks!

Harlin

gilead · 10-22-2006, 02:11 PM

Commas - I recommend reading the man page for suauth. It's explained well and there are examples.