Jump to content

Disable sudo -s

- - - - -
Started by Guest_Wanch_* , Aug 20 2008 04:46 AM

This topic has been archived. This means that you cannot reply to this topic.
6 replies to this topic

#1
Guest_Wanch_*
Posted 20 August 2008 - 04:46 AM

Guest_Wanch_*
  • Guests
I have several users on my system that have root ability but I would prefer them to only be able to "sudo <command>" rather than "sudo -s" to root. By preventing them "sudo -s" I think I can prevent them from entering certain directories and such.

How do I disable "sudo -s" access to for certain users or is there a better method for this?

#2
Tor
Posted 21 August 2008 - 05:20 AM

Tor

    Programming Expert

  • Members
  • PipPipPipPipPipPip
  • 486 posts
If you disable access to the su command will this work? I'm not sure how this can be done.

#3
tecktalk
Posted 10 November 2008 - 07:01 AM

tecktalk

    Programmer

  • Members
  • PipPipPipPip
  • 175 posts
Hmm.. I am not sure too.. may be it can be done .. I think you should ask our admin about this.. or any senior member.. you find a bit experienced..
Lyf come without guarantees, except that smiling will brighten ur face, laughing will enhance ur eyes, and falling in luv will change ur lyf

#4
Guest_Jordan_*
Posted 11 November 2008 - 08:16 AM

Guest_Jordan_*
  • Guests
I've set this up on one of our Linux machines. You add an ALIAS to the commands in /etc/sudoers and later you block the ALIAS. Here is an example:

Alias:
# Cmnd alias specification
 Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
                        /usr/sbin/restore, /usr/sbin/rrestore
 Cmnd_Alias     KILL = /usr/bin/kill
 Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias     SHUTDOWN = /usr/sbin/shutdown
 Cmnd_Alias     HALT = /usr/sbin/halt
 Cmnd_Alias     REBOOT = /usr/sbin/reboot
 Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                         /usr/local/bin/tcsh, /usr/bin/rsh, \
                         /usr/local/bin/zsh
 Cmnd_Alias     SU = /usr/bin/su
 Cmnd_Alias     PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Blocking the user:
# User privilege specification
root            ALL=(ALL) ALL
UserName       SERVERS = /usr/bin/, !SU, !SHELLS, !HALT, !REBOOT, !SHUTDOWN, !KILL
Again, this is all in /etc/sudoers file.

#5
Guest_Wanch_*
Posted 17 November 2008 - 05:57 AM

Guest_Wanch_*
  • Guests
So I can make a cmnd_alias for anything?

#6
Guest_Jordan_*
Posted 17 November 2008 - 07:08 AM

Guest_Jordan_*
  • Guests
Yup, for just about anything the system can do. It is a great way to give a user access to only one thing (such as restarting) or give them access to everything but block several commands (like "rm -rf /").

#7
najaubais
Posted 01 February 2009 - 10:06 AM

najaubais

    Learning Programmer

  • Members
  • PipPipPip
  • 34 posts
Well that is a great job done. We cannot allow all and sundry to edit and view all directories. You have to restrict the access of different users. Linux is the best when it comes to updates and security issues. Good help.
Is it possible to set different parameters to different users?
Back to Linux/Unix General




  1. CODECALL Programming Forum
  2. General Computing
  3. Linux and Unix
  4. Linux/Unix General
IPB skins by Skinbox