HPE Community
Operating System - HP-UX
1820003 Members
3481 Online
109608 Solutions
New Discussion юеВ

how to setup " /usr/bin/su " can not be run by using sudo tools

 
SOLVED
Go to solution
Eric Unix
Frequent Advisor

тАО11-17-2008 01:42 AM

тАО11-17-2008 01:42 AM

how to setup " /usr/bin/su " can not be run by using sudo tools

Hello All

If i want users can run all commands but only one command " /usr/bin/su" cannot be run. Then how to setup it.
I have try to setup is as follows :

eric prodsvr = noexec : /usr/bin/su

and login eric then run as follows :
$ sudo su
>>> sudoers file: syntax error, line 23 <<<
sudo: parse error in /usr/local/etc/sudoers near line 23

why ? someone help me ? Thanks a lot.

BR
eric
Look forward
0 Kudos
Reply
6 REPLIES 6
Johnson Punniyalingam
Honored Contributor

тАО11-17-2008 01:59 AM

тАО11-17-2008 01:59 AM

Solution

Re: how to setup " /usr/bin/su " can not be run by using sudo tools

commands "who am i" and "whoami". In an su situation, "who am i" will report the user you su from while
"whoami" will report the user you su to.

In this way, depending on the login shell you are using, you can modify .profile/.cshrc/.login of your
paticular user account accordingly to suit your needs.

For example, add the following to the beginning of your oracle's .profile:
=============================================
trap "" 1 2 3
if [ "who am i|awk '{print $1}' != "whoami" ]
then
# this implies an su, thus proceed on
# with the rest of your command executions.
else
# this user must have logged on direct
# without su'ing thus logout this user
logout
fi
trap 1 2 3
=============================================

To prevent your user from modifying his own .profile to workaround it, remember to change the ownership of oracle's .profile to root and chmod 755 the .profile.

Thanks,
Johnson
Problems are common to all, but attitude makes the difference
Reply
OldSchool
Honored Contributor

тАО11-17-2008 10:31 AM

тАО11-17-2008 10:31 AM

Re: how to setup " /usr/bin/su " can not be run by using sudo tools

I don't believe the noexec works the way you think it does. Its used to prevent escaping from a "permitted" command to a shell, not to prevent a command from being run.
See:
http://www.courtesan.com/sudo/man/sudoers.html#noexec_and_exec

the example they give is:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

which allows aaron to run "more" and "vi", but not break out to a new shell from them which would allow them priviledge (root) access to everything.....
0 Kudos
Reply
Eric Unix
Frequent Advisor

тАО11-26-2008 12:23 AM

тАО11-26-2008 12:23 AM

Re: how to setup " /usr/bin/su " can not be run by using sudo tools

Hello Johnson

Great, and it works now. Thank you very much.

Best Regards
Eric
Look forward
0 Kudos
Reply
Javed Khan_1
Valued Contributor

тАО11-26-2008 09:31 PM

тАО11-26-2008 09:31 PM

Re: how to setup " /usr/bin/su " can not be run by using sudo tools

Hi,

Edit sudoers file add add

username ALL=(ALL) ALL, !/usr/bin/su

This will allow user to run all command except su


Regards,
Javed
Never Give Up
0 Kudos
Reply
Kenan Erdey
Honored Contributor

тАО11-27-2008 01:59 AM

тАО11-27-2008 01:59 AM

Re: how to setup " /usr/bin/su " can not be run by using sudo tools

Hi,

you can prevent using sudo su - by :

username ALL=(ALL) ALL, !/usr/bin/su

but user still can copy /usr/bin/su to another location and can run with sudo and gain root access. i couln't find a solution to 'ALL' phrase.

Kenan.
Computers have lots of memory but no imagination
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО11-27-2008 12:41 PM

тАО11-27-2008 12:41 PM

Re: how to setup " /usr/bin/su " can not be run by using sudo tools

>Kenan: but user still can copy /usr/bin/su to another location

Hmm, I first thought that may not work but it seems you may be right.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.