Sudo & su

[Carville, Stephen]

> A user with sudoer privileges is able to get root using "sudo su -". I 
> find this extremely irritating. I prefer to keep access to root limited 
> number of administrators in my organisation, but the applications 
> running on the system require the application owners to be able to run 
> root only commands. It seems this be a global behavior, I have seen it 
> on RHEL, Fedora and AIX5.3.
> Is there a way to force the system to request for the root password? Or 
> restrict 'sudo' users from using 'su'?

Do not give it all then try to deny certain commands.  Any reasonably smart use 
can defeat that.  Start with nothing and allow only what is necessary.  

An example:

User_Alias  WEBADMINS = fbar,jblow

Cmnd_Alias  SERVICE = /sbin/service
Cmnd_Alias  WEBME = /bin/su [-] wwwadmin
Cmnd_Alias  KILL = /bin/kill
Cmnd_Alias  GUNZIP = /bin/gunzip
Cmnd_Alias  GREP = /bin/grep
Cmnd_Alias  LESS = /usr/bin/less

Host_Alias  DMZ = web1,web2,app1,app2

WEBADMINS   DMZ = WEBME,SERVICE,KILL,LESS,GREP,GUNZIP,(wwwadmin)ALL

--
Stephen