Linux – preventing “sudo su -” but allow “sudo su – serveruser”

linuxsudo

First, I am NOT looking for rock star security. We just at a glance want to prevent "sudo su -" and it is a policy here to always use sudo when running commands and we all want that. Ideally we would like to log something if someone does try "sudo su -" to please obey the culture and never become root so we can reverse engineer all commands run and what happened. Is there a way to do this to prevent sudo su – but allow "sudo su – serveruser"

thanks,
Dean

Best Answer

You can specify the full "su - foouser" in the sudoers file - the entire command string must be matched, which prevents a simple "su -". On the downside, you'll have to list all acceptable destination users with separate allowed commands.

Alternately, you can use sudoers to specify groups of destination users and have them use the "sudo -U " format.

Related Solutions

Linux – How to Setup Passwordless Sudo

EDIT thanks to medina's comment: According to the man page, you should be able to write

ALL            ALL = (ALL) NOPASSWD: ALL

to allow all users to run all commands without a password.

For reference, I'm leaving my previous answer:

If you add a line of the form

%wheel         ALL = (ALL) NOPASSWD: ALL

to /etc/sudoers (using the visudo command, of course), it will let everyone in the group wheel run any commands without providing a password. So I think the best solution is to put all your users in some group and put a line like that in sudoers - obviously you should replace wheel with the actual group you use.

Alternatively, you can define a user alias,

User_Alias     EVERYONE = user1, user2, user3, ...

and use that:

EVERYONE       ALL = (ALL) NOPASSWD: ALL

although you would have to update /etc/sudoers every time you add or remove a user.

Linux – chown to a user I can sudo to

You could do this directly with sudo. When I first started thinking about how to do that, I quickly realized that the number of chowns you would have to specify for n users would be n^2 if you try to map them directly. But you can cut this down to 2n if you require the user to take ownership of each file before re-assigning it. So, your sudoers file might look like this:

User_Alias CHOWNADMIN1 = jane
Cmnd_Alias CHOWNUSR1 = /bin/chown --from widget-dev jane *, /bin/chown --from jane widget-dev *
Cmnd_Alias CHOWNUSR2 = /bin/chown --from releng jane *, /bin/chown --from releng amy *

CHOWNADMIN1     ALL= NOPASSWD: CHOWNUSR1, CHOWNUSR2

With this setup, Jane can now do a two-step process to change ownership:

chown --from widget-dev jane /tmp/foofile
chown --from jane releng /tmp/foofile

Notice that you must restrict this permission with --from, or you open up the possibility of granting the user "jane" the permission to take ownership of files like /etc/shadow or /root/.ssh/id_rsa (that could be bad).

Of course, you could now write a very simple script to automate the chowns. Perhaps something like the following, but with some error checking:

#!/bin/bash
FROM=$1
shift
TO=$1
shift

sudo chown --from $FROM $USER $*
sudo chown --from $USER $TO $*

And now Jane can run "rchown releng widget-dev /tmp/foofile" or similar.

Best Answer

Related Solutions

Linux – How to Setup Passwordless Sudo

Linux – chown to a user I can sudo to

Related Topic