0

How can I restrict a user from executing sudo -su? I.e., disable this -su option for sudo allowed users.

fra-san
  • 10,205
  • 2
  • 22
  • 43
AVS
  • 813
  • 2
    You can not. sudo user can run anything as user root, why is there a need to do this anyways? You should reconsider your security concept. – pLumo Apr 11 '19 at 11:51
  • You can always rename or delete the sudo binary. I think you need to describe your problem a lot better with many more details. – Bananguin Apr 11 '19 at 11:56
  • @RoVo this is not true. sudo allows for quite fine grained management. Of course nothing sensible would prevent a user from typing sudo -su in a shell. – Bananguin Apr 11 '19 at 11:58
  • While you are able to restrict what sudo is allowed to do in sudoers file, sudo users can change that to whatevery they like. So technically you might be right, but practically you're not. – pLumo Apr 11 '19 at 12:05
  • @RoVo: They can only chage it if they can edit the file as root, but that doesn't need to be the case. You could user 1000 allow to run /bin/bash as user 1001. User 1000 will not be able to change the sudoers file. – Bananguin Apr 11 '19 at 12:12
  • I don't get it, If the user has sudo rights, how will you prevent him from editing sudoers file ? – pLumo Apr 11 '19 at 12:15
  • @RoVO: Others-executable permissions on the binary are enough to use sudo. You do not need to own neither binary nor configuration files. You do not need to be a member of the group(s) sudo and its configuration files belong to. You needn't configure sudo to grant users permissions to edit its configuration files. I have no idea what "sudo rights" are, but it sounds like more than is required. – Bananguin Apr 11 '19 at 12:48
  • @RoVo, there's no such thing as sudo rights. There's a list of rules in sudoers that determine what commands some users can run in the name of what other users. – Stéphane Chazelas Apr 11 '19 at 13:39
  • Okay, true, but OP asks for "sudo allowed users", so I assume he means users in sudo group that should be allowed to run any command as root with sudo (that is what I mean by sudo rights which is technically not the correct term) but not sudo su. So they could also run sudo visudo to remove restrictions. – pLumo Apr 11 '19 at 13:42
  • @RoVo, the OP asks about sudo -su, either a typo and they meant sudo su, or they ask about the -s and -u options. – Stéphane Chazelas Apr 11 '19 at 13:47
  • @AVS If you are trying to prevent users which are allowed to execute any command as root using sudo from being able to "run a shell as another user" (as sudo -su suggests), then the answer is that it's a bad idea. See, for instance, Sudoers blacklist. It would be better if you could restate your requirements in terms of "how can I allow some users to only execute these commands as root/as another user?". – fra-san Apr 11 '19 at 14:00
  • Thats fine i have gone through many answers available on stack exchange that whitelisting is a best practice. What i want is to replace a command # sudo -su someuser with some other command globally. – AVS Apr 12 '19 at 10:47

0 Answers0