HOW TO: disable sudoer from editing /etc/sudoers file
sudo
How can I prevent a sudoer from editing the /etc/sudoer file?
Best Answer
This depends on how much access you have given people who use sudo. If you have given people sufficient privilege to enable them to use sudo in an unrestricted manner then you pretty much have to trust them.
You can explicitly deny access to the visudo command
sudouser ALL=ALL, !/usr/sbin/visudo
then
$ sudo visudo
[sudo] password for sudouser:
Sorry, user sudouser is not allowed to execute '/usr/sbin/visudo' as root on host1.lan
however this doesn't stop people from, for example, running a shell and then running visudo
sudo -s
visudo
Bingo !
The only other solution is to reduce the scope of people's access via sudo. To do this you would have to analyse their privilege requirements and give them access via sudo to only those commands that they really need by use of command aliases etc.
The absolute last thing I would want to do, is create a separate sudoers file, like Dave suggests. If you have a lot of machines, and only subtle differences apply (as is often the case), you really do not want this. It will generate a lot of overhead.
What you really want to do, is create one sudoers file. In that sudoers file, you can then define Host_Aliases for groups of systems for which you want a certain policy to apply. You can also make User_Aliases and whatnot. Done right, this gives you a huge benefit by having one file to edit, so it is easy to see what applies where and you don't have to worry about different versions of the sudoers file being deployed on different machines by accident.
New versions of sudo even support the sudoers.d directory in /etc, which might be of help too, but I haven't tried that yet.
Best Answer
This depends on how much access you have given people who use sudo. If you have given people sufficient privilege to enable them to use sudo in an unrestricted manner then you pretty much have to trust them.
You can explicitly deny access to the visudo command
then
however this doesn't stop people from, for example, running a shell and then running visudo
Bingo !
The only other solution is to reduce the scope of people's access via sudo. To do this you would have to analyse their privilege requirements and give them access via sudo to only those commands that they really need by use of command aliases etc.