How can I restrict a user from executing sudo -su
? I.e., disable this -su
option for sudo allowed users.
Asked
Active
Viewed 126 times
0
How can I restrict a user from executing sudo -su
? I.e., disable this -su
option for sudo allowed users.
sudo
user can run anything as user root, why is there a need to do this anyways? You should reconsider your security concept. – pLumo Apr 11 '19 at 11:51sudo
binary. I think you need to describe your problem a lot better with many more details. – Bananguin Apr 11 '19 at 11:56sudo
allows for quite fine grained management. Of course nothing sensible would prevent a user from typingsudo -su
in a shell. – Bananguin Apr 11 '19 at 11:58sudo
is allowed to do insudoers
file,sudo
users can change that to whatevery they like. So technically you might be right, but practically you're not. – pLumo Apr 11 '19 at 12:05/bin/bash
as user 1001. User 1000 will not be able to change the sudoers file. – Bananguin Apr 11 '19 at 12:12sudo
rights, how will you prevent him from editingsudoers
file ? – pLumo Apr 11 '19 at 12:15sudo
. You do not need to own neither binary nor configuration files. You do not need to be a member of the group(s) sudo and its configuration files belong to. You needn't configuresudo
to grant users permissions to edit its configuration files. I have no idea what "sudo
rights" are, but it sounds like more than is required. – Bananguin Apr 11 '19 at 12:48sudo
rights. There's a list of rules insudoers
that determine what commands some users can run in the name of what other users. – Stéphane Chazelas Apr 11 '19 at 13:39sudo
group that should be allowed to run any command as root withsudo
(that is what I mean by sudo rights which is technically not the correct term) but notsudo su
. So they could also runsudo visudo
to remove restrictions. – pLumo Apr 11 '19 at 13:42sudo -su
, either a typo and they meantsudo su
, or they ask about the-s
and-u
options. – Stéphane Chazelas Apr 11 '19 at 13:47sudo
from being able to "run a shell as another user" (assudo -su
suggests), then the answer is that it's a bad idea. See, for instance, Sudoers blacklist. It would be better if you could restate your requirements in terms of "how can I allow some users to only execute these commands as root/as another user?". – fra-san Apr 11 '19 at 14:00