Thread: NEED Help with Sudo

I have a tricky situation with sudoers.

I have an account called oracle

I have created a Cmnd_Alias called "BlockedCommands" and have added "/bin/su - root,/bin/su root,/bin/su, /bin/su -" to that list.

I have granted a user access called x-men to following access
x-men ALL=(root) NOPASSWD :/bin/su - oracle, ALL, !BlockedCommands.

Issue i am facing is, x-men account cannot sudo su - oracle because (i think) its defined in BlockedCommands, which is then restricted for the account.

My Question is,
How can i prevent people from becoming root via (sudo su - root or sudo su root or sudo su or sudo su -), grant ability to issue everyother command and also allow sudo su - oracle.

Please help!!

Hi,

sudo and su both are different , you can restrict "sudo su - root" using visudo but not "su", for achieve the same you have to create pam rules , refer this link for the same

Thanks Rahul for you response.

I am not looking to restrict user from issuing "su". If a user know password to an account i am OK with them using su, followed by password to gain access to the account.

My question was more on the lines of using sudo su.

One can gain access to root by issuing any of the following
sudo su - root
sudo su root
sudo su -
sudo su

Due to business reasons, i have to grant a group ability to issue almost all commands as root (via sudo) but want to prevent them from gaining access to root, hence i have created that Blocked_Commands Command Alias. Now, i also want to grant explicit permission to grant a user access to a specific account (sudo su - oracle) but because of the Blocked_Command alias where sudo su - and sudo su are blocked, user is unable to execute sudo su - oracle.

So, wanted to know how to get around this issue.

Hope this helps understand my issue ?

Thank You in advance for your support.

Hi,

Add sudors entry as below:

Code:

Cmnd_Alias DENY_CMD = /bin/su

x-men ALL=(root) NOPASSWD:!DENY_CMD,/bin/su - oracle

P.S DENY_CMD must be in caps


Testing :

Code:

root@svr100:~# su - x-men -c "sudo su - root"
[sudo] password for x-men:
Sorry, user x-men is not allowed to execute '/bin/su - root' as root on svr100.

root@svr100:~# su - x-men -c "sudo su - oracle"
$ ls
$ ls -a
.  ..  .bash_logout  .bashrc  .profile
$

Thanks Rahul.

I see the mistake i was doing. I had granted

x-men ALL=(root) NOPASSWD :/bin/su - oracle, ALL, !BlockedCommands.

After taking a hint for your solution, i have modified it to following, which works file.

x-men ALL=(root) NOPASSWD :!BlockedCommands, /bin/su - oracle, ALL

Thank you for all your support.