7

I want to prevent the users from using the su command, and so I blocked the command in /etc/sudoers file as below:

%group ALL=(ALL:ALL) NOPASSWD:!/bin/su

But with this rule in sudoers, they are unable to execute sudo <command> commands, resulting in the error:

Sorry, user xxxx is not allowed to execute 'command' as root on <host>

Is there any way that the program sudo relies on su?

forest
  • 2,585
  • 15
  • 27
Karthik
  • 155
  • 2
  • 7
  • 2
    Related: [su vs sudo -s vs sudo -i vs sudo bash](https://unix.stackexchange.com/q/35338) (see also the "Linked questions" on that question, as well as [other questions relating to `sudo` and `su`](https://unix.stackexchange.com/questions/tagged/su%2bsudo?tab=Frequent)). – Kusalananda May 22 '23 at 13:16
  • 6
    This seems like it's an [XY problem](https://meta.stackexchange.com/q/66377/386992). Setting up sudo as "people can do anything except Foo as root" is almost always the wrong thing to do. Why exactly are you trying to do that? – Joseph Sible-Reinstate Monica May 23 '23 at 04:26
  • @JosephSible-ReinstateMonica Indeed. It's almost impossible to give someone "just a little bit of root". "Well, they need to edit this one file, I'll set up `/etc/sudoers` so they can run `vi`." User starts `vi` via `sudo` and then enters `:!/bin/bash`. Instant `root` shell. That's just one example. That's why there's auditing... – Andrew Henle May 23 '23 at 04:39

2 Answers2

23

sudo doesn’t rely on su.

Your setup prevents users from running anything because it doesn’t grant anything: it only prevents users from using /bin/su. You’d need NOPASSWD: ALL, !/bin/su or something to that effect.

Note however that denying /bin/su in this way won’t stop users from copying su somewhere else and running the copy. See the relevant discussion in man sudoers.

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
  • My bad! You are absolutely right! – Karthik May 22 '23 at 13:18
  • 9
    There are lots of other holes by which users with sudo privileges can get root access even when su is denied. `sudo sudo`, `sudo bash`, `sudo vi` `sudo less`, `sudo chmod`..... – symcbean May 22 '23 at 13:56
  • 4
    @symcbean or just `sudo -s`. – Stephen Kitt May 22 '23 at 14:07
  • Copying `su` isn't likely - or at least if it is then either the SUID bit will get dropped or the user already had root access – roaima May 22 '23 at 15:41
  • 2
    @roaima given that the intention was `ALL=(ALL:ALL)` I think it’s safe to assume that the user already has root access. – Stephen Kitt May 22 '23 at 15:50
  • 5
    @symcbean: `sudo cp $HOME/vmlinuz /boot/vmlinuz` – Joshua May 23 '23 at 04:15
  • @roaima They can do `sudo chmod u+s su_copy` – Barmar May 23 '23 at 13:13
  • 1
    @Barmar they don’t even need to, `sudo su_copy` will run `su_copy` as root so it doesn’t need to be setuid. – Stephen Kitt May 23 '23 at 13:16
  • @Joshua I take it you don’t use Secure Boot. – Stephen Kitt May 23 '23 at 13:16
  • True, the popular `sudo su` idiom is weird to begin with. – Barmar May 23 '23 at 13:29
  • @StephenKitt: You're right, I don't. According to the manual I would just also need to do `sudo sbsign` as well. – Joshua May 23 '23 at 13:53
  • @Joshua you’d need to either know the passphrase for one of the system’s MOKs, or enroll a new one (assuming you have physical access to the system and know the appropriate setup password; but if that’s the case you already own the system anyway). – Stephen Kitt May 23 '23 at 14:16
  • 3
    @Barmar Yes `sudo su` would be weird, but the idiom was actually `sudo su -` and its popularity was well deserved. It's almost a real login (all the startup scripts, login shell, etc.) and it was a useful shorthand back when `sudo -i` didn't exist. The behavior of `sudo -s` is/was quite different. – kubanczyk May 23 '23 at 15:00
  • No need to copy `su`, `sudo env su`, `sudo sh -c su` would be enough to run `su` (assuming the `noexec` sudo feature is not used). – Stéphane Chazelas May 24 '23 at 11:20
-1

Make the su password impossible to guess and you get the same affect. Though you might want to prevent the password from being being changed that way.

Meh
  • 1