Re: configuring sudo access for some users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Nov 29, 2007 8:05 PM, ankush grover <ankushfedora@xxxxxxxxx> wrote:
> What they require (I mean users) is to do all the
> things except they cannot su/su- to become anyother user or root user, they

> test ALL=(ALL) ALL, !/usr/bin/su
> test2 ALL=(ALL) ALL, !/usr/bin/su

test and test2 could then
 sudo bash

And then they have an unlimited root shell.
The following gets you a little closer to what you want, but never
really gets you there:

test myhost=(root) !/usr/bin/su,!sudo,!/bin/bash,!/bin/tcsh,!vi,!less

on and on and on and on, listing every command line tool that has a
"shell escape feature". In other words, what you want may be possible
in theory but not in practice. But at least you have to limit them to
a particular user (maybe not root but some other special user with
special ownerships that you have set up).

I recommend defining what commands are okay for them to use, and then
doing some homework to make sure those are safe (no way to escape to a
shell, which is hard to guarantee). Or only give sudo power to people
you trust completely.
HTH,
Dave


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux