4

I need to accomplish the following things.

  1. Disable Ubuntu user.

  2. Disable sudo su for all users.

  3. Each user should able to execute sudo <command>.

I have modified my sudoer file as below:

# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Cmnd_Alias   NSHELLS = /bin/sh,/bin/bash
Cmnd_Alias   NSU = /bin/su
# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL


**%sysadmins ALL=(ALL) NOPASSWD:ALL ,!NSHELLS, !NSU**


# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

Still, I can access sudo using the command:sudo sudo su

How to disable this? Any help is highly appreciated.

Kevin Bowen
  • 19,615
  • 55
  • 79
  • 83

3 Answers3

8

With respect, if you get what you ask for and somebody can run sudo <anything but su>, they can:

  • Run sudo bash
  • Run sudo -i
  • Create a script that does something similar (including directly running su).
  • Just edit the configuration with sudo visudo

The point I'm trying to make is that if you allow people to run anything (or even nearly anything), they are as good as root. There are incalculable numbers of ways they could circumvent you.

If you only want them to be able to run a finite number of commands as root, create a new group (eg semisudo) and add each command to sudoers, like so:

%semisudo    localhost=/path/to/command
%semisudo    localhost=/path/to/another/command

And then add the user to that group and kick them out of admin/sudo.

Oli
  • 293,335
  • Thanks for quick update and information .I understand the risk of allowing everything with sudo .Here the motto is to see the changes made by the sysadmin users on a server . if sudo su will work , then – user1726453 Dec 19 '14 at 12:36
  • Thanks for quick update and information .I understand the risk of allowing everything with sudo .Difficult for us to add finite command for systemadmins who access the server daily basis .Here the motto is to see the changes made by the each sysadmin users on a server . if sudo su will work , then difficult to monitor their activities as they can run command after hitting sudo su .Everything will logged as root rather than the user name . – user1726453 Dec 19 '14 at 12:46
  • 2
    @user1726453 and anyone having the same concern, see this answer on logging possibility after sudo su: http://unix.stackexchange.com/a/109836/30230 – PF4Public Jun 03 '16 at 18:18
1

Edit /etc/sudoers:

root    ALL=(ALL:ALL) ALL, !/usr/bin/su
Marcius
  • 11
-1

I got work around to disable sudo sudo su . Just need to comment below line in sudoer file .

#root    ALL=(ALL:ALL) ALL

It is working for me . Thanks all for your help .

muru
  • 197,895
  • 55
  • 485
  • 740