Save yourself a lot of time. The sudo package from the Liverpool archive installs and runs just fine on 11.11 as well as 11.0.
NOTE: there is a packaging error with the current version (actually, it may be a bug in swinstall). When you setup a depot and load sudo, you'll get an error about invalid user/group ID and it exits saying that the package is corrupt. The problem (I think it is a bug in swinstall) is due to the INFO file in the sudo-RUN directory. At the top of the INFO file, there is the settings for sudo (mode, owner). The owner and group are both 0, but customarily, these have always been symbolic names like root or sys.
Apparently, swinstall doesn't like a number so by manually editing the INFO file at the location where the sudo program is assigned ownership, the error goes away. It has been reported to HP.
sudo has the ability to limit the actual commands that are allowed or explicitly exclude certain commands. Even the parameters for commands may be restricted.
Once sudo is in place, remove *ALL* alternate root users (other IDs with UID 0)
Here are a few other ideas on controlling root access:
To truly control users from making dumb mistakes, create a new group just for su, perhaps called suroot. Then add only your trained sysadmins to that group, and finally, do this:
echo "SU_ROOT_GROUP=suroot" >> /etc/default/security
Now, even if casual users know the root password, they cannot use su to gain root access. Protect root privileges even further with:
echo "console" > /etc/securetty
Now, root cannot login anywhere except the system console.
Bill Hassell, sysadmin
