1748089 Members
4894 Online
108758 Solutions
New Discussion юеВ

Re: Sudoers file

 
ozas
Advisor

Sudoers file

Hi,

Please just a quick one. Does any one know how I can restrict users from being able to switch to root in sudoers file??
Presently the users are defined in the sudoers file and could switch to another user without password but I do not want them to be able to switch to root.
13 REPLIES 13
Patrick Wallek
Honored Contributor

Re: Sudoers file

Use a command alias like this:

Cmnd_Alias SU=!/usr/bin/su ├в , !/usr/bin/su *root*

Add this to each user and they should not be able to su to root.
ozas
Advisor

Re: Sudoers file

I have tried that before it did not work.
See below my sudoers file, maybe I need to change anything.

This is the sudoers file:

# User_Alias

User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe,r032ahe

User_Alias SUPPORT = d060ahe,h070ahe,s029ahe

#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=(ALL) NOPASSWD: ALL
WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin

What I want is that the users in WAS should not be ble to switch to root,
but they should be able to switch to user "wasdevadmin".
Only users in SUPPORT should be able to switch to root.
Jeff_Traigle
Honored Contributor

Re: Sudoers file

> WAS ALL=(ALL) NOPASSWD: ALL
> WAS ALL=/usr/bin/su - wasdevadmin,/bin/su - wasdevadmin


The first line is saying to allow the WAS users to run any command on any host as any user. The second line is redundantly saying to allow WAS users to run the su commands specified on all hosts as root. You don't have anything restricting them from running su to root as a previous post stated to do.
--
Jeff Traigle
Patrick Wallek
Honored Contributor

Re: Sudoers file

What about the following:

WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin

You also have 2 lines for WAS. I don't remember which will take priority, but the 2 may be conflicting.

What happens if you comment out the first WAS line?
ofure
Occasional Advisor

Re: Sudoers file

Thanks for your prompt reply. This has partly resolved the issue. At least users in WAS cannot su to root again but now the WAS cannot switch to wasdevadmin user.
I want a situation where they can switch to wasdevadmin without been prompted for a password.

Regards

Patrick Wallek
Honored Contributor

Re: Sudoers file

What does your sudoers file look like now?
Matti_Kurkela
Honored Contributor

Re: Sudoers file

> I want a situation where they [= the users in sudo group WAS] can switch to wasdevadmin without been prompted for a password.

You need this line in your sudoers file:

WAS ALL=(wasdevadmin) NOPASSWD: ALL

Then tell your users to use the sudo command like this:

sudo -H -u wasdevadmin -i
(to run a shell as wasdevadmin; equivalent to "sudo su - wasdevadmin")

...or like this:

sudo -H -u wasdevadmin
(to run as wasdevadmin and then continue the session as themselves)

MK
MK
ofure
Occasional Advisor

Re: Sudoers file

Below is how my sudoers file now look:

User_Alias WAS = g343ahe,m017ahe,y073ahe,y072ahe,h234ahe,r019ahe

User_Alias SUPPORT = d060ahe,h070ahe,s029ahe
#User privilege specification
root ALL=(ALL) ALL
SUPPORT ALL=(ALL) ALL
SUPPORT ALL=(ALL) NOPASSWD: ALL
WAS ALL=!/usr/bin/su -, !/usr/bin/su *root*, /usr/bin/su - wasdevadmin,/bin/su - wasdevadmin
WAS ALL=(wasdevadmin) NOPASSWD: ALL

But the users in WAS still cannot switch to wasdevadmin account. I want the users in WAS to be able to do this without prompting for password. Thanks.
Regards.
INH
Regular Advisor

Re: Sudoers file

Remove the user name you dont wantthem to do sudo to root in sudoers file

if you have to grant specfic access you can grant in sudoers file for required users. by defining user alis, command alias and host alias for those users


Regards,
INH
Knowledge is power