how to deny "sudo su"
Solution 1
% sudo ALL = (ALL) NOPASSWD: ALL
You have effectively given the users in the sudo group full unrestricted control over your system. Trying to deny them access to the su
binary is as others have noted futile as they already have root privilege via sudo and membership of the group.
You should analyse the workflow of the users in the sudo group to determine which commands they need to run as root and use sudo to give them privilege access to those commands only. If necessary write scripts and give the sudo group access to run the script (make sure they don't have write access to it though) rather than the individual commands within it.
For example you may determine that your users need to be able to use kill
and all of the commands in the directory /usr/local/sudocmds
(where your local scripts live) so you would give them sudo access like so
%sudo ALL=NOPASSWD: /usr/bin/kill, /usr/local/sudocmds
You can use command aliases too
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump
%sudo ALL=NOPASSWD: PRINTING, DUMPS, /usr/bin/kill, /usr/local/sudocmds
Which adds the commands in the PRINTING
and DUMPS
Cmnd_Alias to the list of commands that the sudo group can run.
Take a look at the sudoers man page for more information and examples.
Solution 2
In order to properly avoid this you must take a different approach.
If you disallow sudo su
I can still run sudo -u root /bin/sh
if you disallow this I will write a small wrapper script and execute this...
The only way to solve this is to only allow the needed commands.
Related videos on Youtube
Gon
Updated on September 18, 2022Comments
-
Gon over 1 year
I have several servers where some users require to be sudoers to work. The problem is that when sudoers can run the command
sudo su
and login as userroot
. It seems very risky to run that command.I tried with Command Alias in the file /etc/sudoers but it has not worked. Is there any way that they are sudoers but not run the command
sudo su
?-
Gon over 12 yearsIt's simple: In /etc/sudoers I have: % sudo ALL = (ALL) NOPASSWD: ALL The user "user1" belongs to group "sudo". Therefore, the user "user1" can run "sudo <command>". Therefore, "user1" can run the command "sudo su". I need that "user1" is sudoer, but can not execute the command "sudo su".
-
Khaled over 12 yearsYou should grant the user sudo for all commands if possible. You need to count the commands they need/should execute and then grant them the needed privileges. Otherise, you should either trust your sudoers or not. In the laster case, you should not give them sudo from the first place.
-
-
Ladadadada over 12 yearsWhitelisting: good; Blacklisting: bad.