configuring sudo access for some users
Dave Burns
tburns at hawaii.edu
Fri Nov 30 07:22:54 UTC 2007
On Nov 29, 2007 8:05 PM, ankush grover <ankushfedora at gmail.com> wrote:
> What they require (I mean users) is to do all the
> things except they cannot su/su- to become anyother user or root user, they
> test ALL=(ALL) ALL, !/usr/bin/su
> test2 ALL=(ALL) ALL, !/usr/bin/su
test and test2 could then
sudo bash
And then they have an unlimited root shell.
The following gets you a little closer to what you want, but never
really gets you there:
test myhost=(root) !/usr/bin/su,!sudo,!/bin/bash,!/bin/tcsh,!vi,!less
on and on and on and on, listing every command line tool that has a
"shell escape feature". In other words, what you want may be possible
in theory but not in practice. But at least you have to limit them to
a particular user (maybe not root but some other special user with
special ownerships that you have set up).
I recommend defining what commands are okay for them to use, and then
doing some homework to make sure those are safe (no way to escape to a
shell, which is hard to guarantee). Or only give sudo power to people
you trust completely.
HTH,
Dave
More information about the fedora-list
mailing list