Mounting centralized NAS server with NFS . Need to forbid users from doing sudo su.
 

Hi,

long history short:
- we have a bunch of linux servers.
- lots of users work with linux Desktops. They use them as testing servers.
- All the infrastructure has the Authentication services linked by Quest Auth Services againts an AD. This gives us the option of logon scripts, startup scripts, and other things.
- One interesting option this Quest thing gives us is SUDO management. We can edit sudoers file by GPO politics.
- Now we are deploying a NAS server from Hitachi with cifs and NFS mapping capabilities.
- Servers are managed by IT, so nobody can go root except us.
- Desktop users will also mount the NFS shares so they will be able to work with real data and read their own data from servers.
- Desktop users can go sudo su.
- If desktop users go from root to another user, the NFS let them work as they where the other user.


I would like to keep them from swithching users, but only between AD users, they must be able to switch to apache user or postgres user.

I'm missing something or this is going to be tricky?
Can anybody give me a hand on this thinking?


Many thanks.

You could stop using sudo completely, switch to su only. Set easy to remember passwords for the apache user and the postgres users and give the people that need access to those accounts the passwords. Allow regular users to mount NFS shares (in /etc/fstab i think), then deny everybody root access.
I don't know anything about Quest, but I don't see any reason why this isn't a feasible solution.

I dont use QAS, but we use a sudoers entry to keep ad users from switching to other ad users with sudo:

When these are user desktops, they can boot into a root prompt with init=/bin/sh or similar. Additional measures are necessary.

Good point.

Our solution will be cifs. we will give a script on the desktop of each user(GPO) which asks for the password again and mounts cifs mountpoints.