[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: configuring sudo access for some users



On Nov 29, 2007 8:05 PM, ankush grover <ankushfedora gmail com> wrote:
> What they require (I mean users) is to do all the
> things except they cannot su/su- to become anyother user or root user, they

> test ALL=(ALL) ALL, !/usr/bin/su
> test2 ALL=(ALL) ALL, !/usr/bin/su

test and test2 could then
 sudo bash

And then they have an unlimited root shell.
The following gets you a little closer to what you want, but never
really gets you there:

test myhost=(root) !/usr/bin/su,!sudo,!/bin/bash,!/bin/tcsh,!vi,!less

on and on and on and on, listing every command line tool that has a
"shell escape feature". In other words, what you want may be possible
in theory but not in practice. But at least you have to limit them to
a particular user (maybe not root but some other special user with
special ownerships that you have set up).

I recommend defining what commands are okay for them to use, and then
doing some homework to make sure those are safe (no way to escape to a
shell, which is hard to guarantee). Or only give sudo power to people
you trust completely.
HTH,
Dave


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]