4

So here's the problem. We've got the /etc/sudoers file set up so that users can run commands from /bin like "cat" or "mkdir" without entering a password. The problem is that the "su" command is also in /bin, so if they enter "sudo su", it gives them root access without a password. Here's the /etc/sudoers file:

Defaults targetpw    
%users ALL=(ALL) ALL 

root    ALL=(ALL) ALL

support ALL=(ALL) NOPASSWD: /sbin/, /bin/, /opt/, /etc/init.d/, /elo/
support ALL=(ALL) NOPASSWD: /usr/bin/mysql

Is there a way I can deny /bin/su while still allowing the rest of the /bin commands?

Improve this question
1
  • ln /bin/su /dirnotinsudoers/su; rm /bin/su
    – cularis
    Commented May 25, 2011 at 13:03

1 Answer 1

Reset to default
7

They can mount? Then they have everything to become superuser. There are some other interesting commends, too.

You really want to make /etc/sudoers a white-list, and not a black-list.

With proper file and directory access bits and user/group setings, you should not need sudo in your daily work.

Improve this answer
1
  • Okay, so white-listing is the way to go. Thanks!
    – Ed Manet
    Commented May 25, 2011 at 13:17

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .