0

How can I restrict a user from executing sudo -su? I.e., disable this -su option for sudo allowed users.

fra-san
  • 9,931
  • 2
  • 21
  • 42
AVS
  • 773
  • 1
  • 5
  • 10
  • 2
    You can not. `sudo` user can run anything as user root, why is there a need to do this anyways? You should reconsider your security concept. – pLumo Apr 11 '19 at 11:51
  • You can always rename or delete the `sudo` binary. I think you need to describe your problem a lot better with many more details. – Bananguin Apr 11 '19 at 11:56
  • @RoVo this is not true. `sudo` allows for quite fine grained management. Of course nothing sensible would prevent a user from typing `sudo -su` in a shell. – Bananguin Apr 11 '19 at 11:58
  • While you are able to restrict what `sudo` is allowed to do in `sudoers` file, `sudo` users can change that to whatevery they like. So technically you might be right, but practically you're not. – pLumo Apr 11 '19 at 12:05
  • @RoVo: They can only chage it if they can edit the file as root, but that doesn't need to be the case. You could user 1000 allow to run `/bin/bash` as user 1001. User 1000 will not be able to change the sudoers file. – Bananguin Apr 11 '19 at 12:12
  • I don't get it, If the user has `sudo` rights, how will you prevent him from editing `sudoers` file ? – pLumo Apr 11 '19 at 12:15
  • @RoVO: Others-executable permissions on the binary are enough to use `sudo`. You do not need to own neither binary nor configuration files. You do not need to be a member of the group(s) sudo and its configuration files belong to. You needn't configure `sudo` to grant users permissions to edit its configuration files. I have no idea what "`sudo` rights" are, but it sounds like more than is required. – Bananguin Apr 11 '19 at 12:48
  • @RoVo, there's no such thing as `sudo` rights. There's a list of rules in `sudoers` that determine what commands some users can run in the name of what other users. – Stéphane Chazelas Apr 11 '19 at 13:39
  • Okay, true, but OP asks for "*sudo allowed users*", so I assume he means users in `sudo` group that **should** be allowed to run any command as root with `sudo` (that is what I mean by *sudo rights* which is technically not the correct term) but not `sudo su`. So they could also run `sudo visudo` to remove restrictions. – pLumo Apr 11 '19 at 13:42
  • @RoVo, the OP asks about `sudo -su`, either a typo and they meant `sudo su`, or they ask about the `-s` and `-u` options. – Stéphane Chazelas Apr 11 '19 at 13:47
  • @AVS If you are trying to prevent users which are allowed to execute any command as root using `sudo` from being able to "run a shell as another user" (as `sudo -su` suggests), then the answer is that it's a bad idea. See, for instance, [Sudoers blacklist](https://unix.stackexchange.com/q/329405/315749). It would be better if you could restate your requirements in terms of "how can I allow some users to only execute these commands as root/as another user?". – fra-san Apr 11 '19 at 14:00
  • Thats fine i have gone through many answers available on stack exchange that whitelisting is a best practice. What i want is to replace a command # sudo -su someuser with some other command globally. – AVS Apr 12 '19 at 10:47

0 Answers0