Disable sudo -s

[Wanch]

I have several users on my system that have root ability but I would prefer them to only be able to "sudo <command>" rather than "sudo -s" to root. By preventing them "sudo -s" I think I can prevent them from entering certain directories and such.

How do I disable "sudo -s" access to for certain users or is there a better method for this?

[Tor]

If you disable access to the su command will this work? I'm not sure how this can be done.

[tecktalk]

Hmm.. I am not sure too.. may be it can be done .. I think you should ask our admin about this.. or any senior member.. you find a bit experienced..

[Jordan]

I've set this up on one of our Linux machines. You add an ALIAS to the commands in /etc/sudoers and later you block the ALIAS. Here is an example:

Alias:

Code:

# Cmnd alias specification
 Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
                        /usr/sbin/restore, /usr/sbin/rrestore
 Cmnd_Alias     KILL = /usr/bin/kill
 Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias     SHUTDOWN = /usr/sbin/shutdown
 Cmnd_Alias     HALT = /usr/sbin/halt
 Cmnd_Alias     REBOOT = /usr/sbin/reboot
 Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                         /usr/local/bin/tcsh, /usr/bin/rsh, \
                         /usr/local/bin/zsh
 Cmnd_Alias     SU = /usr/bin/su
 Cmnd_Alias     PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less

Blocking the user:

Code:

# User privilege specification
root            ALL=(ALL) ALL
UserName       SERVERS = /usr/bin/, !SU, !SHELLS, !HALT, !REBOOT, !SHUTDOWN, !KILL

Again, this is all in /etc/sudoers file.

[Wanch]

So I can make a cmnd_alias for anything?

[Jordan]

Yup, for just about anything the system can do. It is a great way to give a user access to only one thing (such as restarting) or give them access to everything but block several commands (like "rm -rf /").