how to deny "sudo su"

linux root sudo su
12,500

Solution 1

% sudo ALL = (ALL) NOPASSWD: ALL

You have effectively given the users in the sudo group full unrestricted control over your system. Trying to deny them access to the su binary is as others have noted futile as they already have root privilege via sudo and membership of the group.

You should analyse the workflow of the users in the sudo group to determine which commands they need to run as root and use sudo to give them privilege access to those commands only. If necessary write scripts and give the sudo group access to run the script (make sure they don't have write access to it though) rather than the individual commands within it.

For example you may determine that your users need to be able to use kill and all of the commands in the directory /usr/local/sudocmds (where your local scripts live) so you would give them sudo access like so

%sudo    ALL=NOPASSWD: /usr/bin/kill, /usr/local/sudocmds

You can use command aliases too

Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump

%sudo ALL=NOPASSWD: PRINTING, DUMPS, /usr/bin/kill, /usr/local/sudocmds

Which adds the commands in the PRINTING and DUMPS Cmnd_Alias to the list of commands that the sudo group can run.

Take a look at the sudoers man page for more information and examples.

Solution 2

In order to properly avoid this you must take a different approach.
If you disallow sudo su I can still run sudo -u root /bin/sh if you disallow this I will write a small wrapper script and execute this...

The only way to solve this is to only allow the needed commands.

Share:
12,500

Related videos on Youtube

Gon
Author by

Gon

Updated on September 18, 2022

Comments

  • Gon
    Gon over 1 year

    I have several servers where some users require to be sudoers to work. The problem is that when sudoers can run the command sudo su and login as user root. It seems very risky to run that command.

    I tried with Command Alias ​​in the file /etc/sudoers but it has not worked. Is there any way that they are sudoers but not run the command sudo su?

    • Gon
      Gon over 12 years
      It's simple: In /etc/sudoers I have: % sudo ALL = (ALL) NOPASSWD: ALL The user "user1" belongs to group "sudo". Therefore, the user "user1" can run "sudo <command>". Therefore, "user1" can run the command "sudo su". I need that "user1" is sudoer, but can not execute the command "sudo su".
    • Khaled
      Khaled over 12 years
      You should grant the user sudo for all commands if possible. You need to count the commands they need/should execute and then grant them the needed privileges. Otherise, you should either trust your sudoers or not. In the laster case, you should not give them sudo from the first place.
  • Ladadadada
    Ladadadada over 12 years
    Whitelisting: good; Blacklisting: bad.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Difference between su and sudo su
What are the benefits of sudo over su?
Difference between sudo su - user and sudo -iu user
How to restore sudo privilege with Linux live CD?
Nautilus not working on sudo
How to avoid "root is not allowed to run sudo"?
sudo to run command as different user
sudo: must be setuid root
Using sudo in openSUSE without actually changing to root user (i.e., like in Ubuntu)
sudo, runuser, su don't work as I expect when run as root with command as "echo $HOME"