7

I want to prevent the users from using the su command, and so I blocked the command in /etc/sudoers file as below:

%group ALL=(ALL:ALL) NOPASSWD:!/bin/su

But with this rule in sudoers, they are unable to execute sudo <command> commands, resulting in the error:

Sorry, user xxxx is not allowed to execute 'command' as root on <host>

Is there any way that the program sudo relies on su?

forest
  • 2,655
Karthik
  • 155

2 Answers2

23

sudo doesn’t rely on su.

Your setup prevents users from running anything because it doesn’t grant anything: it only prevents users from using /bin/su. You’d need NOPASSWD: ALL, !/bin/su or something to that effect.

Note however that denying /bin/su in this way won’t stop users from copying su somewhere else and running the copy. See the relevant discussion in man sudoers.

Stephen Kitt
  • 434,908
  • My bad! You are absolutely right! – Karthik May 22 '23 at 13:18
  • 9
    There are lots of other holes by which users with sudo privileges can get root access even when su is denied. sudo sudo, sudo bash, sudo vi sudo less, sudo chmod..... – symcbean May 22 '23 at 13:56
  • 4
    @symcbean or just sudo -s. – Stephen Kitt May 22 '23 at 14:07
  • Copying su isn't likely - or at least if it is then either the SUID bit will get dropped or the user already had root access – Chris Davies May 22 '23 at 15:41
  • 2
    @roaima given that the intention was ALL=(ALL:ALL) I think it’s safe to assume that the user already has root access. – Stephen Kitt May 22 '23 at 15:50
  • 5
    @symcbean: sudo cp $HOME/vmlinuz /boot/vmlinuz – Joshua May 23 '23 at 04:15
  • @roaima They can do sudo chmod u+s su_copy – Barmar May 23 '23 at 13:13
  • 1
    @Barmar they don’t even need to, sudo su_copy will run su_copy as root so it doesn’t need to be setuid. – Stephen Kitt May 23 '23 at 13:16
  • @Joshua I take it you don’t use Secure Boot. – Stephen Kitt May 23 '23 at 13:16
  • True, the popular sudo su idiom is weird to begin with. – Barmar May 23 '23 at 13:29
  • @StephenKitt: You're right, I don't. According to the manual I would just also need to do sudo sbsign as well. – Joshua May 23 '23 at 13:53
  • @Joshua you’d need to either know the passphrase for one of the system’s MOKs, or enroll a new one (assuming you have physical access to the system and know the appropriate setup password; but if that’s the case you already own the system anyway). – Stephen Kitt May 23 '23 at 14:16
  • 3
    @Barmar Yes sudo su would be weird, but the idiom was actually sudo su - and its popularity was well deserved. It's almost a real login (all the startup scripts, login shell, etc.) and it was a useful shorthand back when sudo -i didn't exist. The behavior of sudo -s is/was quite different. – kubanczyk May 23 '23 at 15:00
  • No need to copy su, sudo env su, sudo sh -c su would be enough to run su (assuming the noexec sudo feature is not used). – Stéphane Chazelas May 24 '23 at 11:20
-1

Make the su password impossible to guess and you get the same affect. Though you might want to prevent the password from being being changed that way.

Meh
  • 1