Solved How to stop user to becoming root in sudo

Hello,

I have been using sudo for a while now and I only just find out that if I run sudo su - and get full root access to the server.

I looked at the /usr/local/etc/sudoers for any option I missed but failed to figure out how to prevent user to become root.

Could anyone please share their experience and help me out.
Also If anyone is will to share, I would really love to see a good config of the /usr/local/etc/sudoers file for inspiration.
 
If a user is not in the group wheel, he cannot do sudo. You can explicit allow with visudo, but not deny.
You're confused with su(1).

For sudo(8) it really depends on how it's configured. If a line contains something like:
Code:
user ALL=(ALL) ALL
That line says, the user user on ALL systems, is able to sudo(8) to ALL user accounts and execute ALL commands (that includes a full root shell).

See sudoers(5)
 
SirDice, the only uncommented line in in my /usr/local/etc/sudoers (via visudo) is
Code:
%wheel ALL=(ALL) NOPASSWD: ALL
I have created my admin user and invited him to the wheel group on account creation..
So am I right to think that any sudo user can escalate to root by using the sudo command: sudo su - and there is nothing I can do to change this behaviour?
Is the only option to trust the user you give sudo access?
 
If you don't trust the user you simply don't put him in the wheel group, wheel is an administrative group where only the completely trustworthy users should be.
 
Code:
%wheel ALL=(ALL) NOPASSWD: ALL
%wheel ALL=!/usr/bin/su
Does not prevent sudo -s or sudo -i or cp /usr/bin/su . ; sudo ./su - or sudo sh or ...

I don't think blacklisting commands will work.

EDIT: Just remembered this talk on using sudo effectively:
 
If you don't trust the user you simply don't put him in the wheel group, wheel is an administrative group where only the completely trustworthy users should be
Yes I do trust the user as I am the admin user.
At the moment I have to trust issue but I migth need to have some help soon and will have to give admin access to someone else.
I guess I am mainly educting myself on the subject at the moment.
 
Just watch the video above and it was a real eye opener as to how liitle I actually knew about sudo..
Thank you very much for the link :)
 
Back
Top