Linux – sudo su runs without password prompt

linuxsudosuse

So here's the problem. We've got the /etc/sudoers file set up so that users can run commands from /bin like "cat" or "mkdir" without entering a password.
The problem is that the "su" command is also in /bin, so if they enter "sudo su", it gives them root access without a password.
Here's the /etc/sudoers file:

Defaults targetpw    
%users ALL=(ALL) ALL 

root    ALL=(ALL) ALL

support ALL=(ALL) NOPASSWD: /sbin/, /bin/, /opt/, /etc/init.d/, /elo/
support ALL=(ALL) NOPASSWD: /usr/bin/mysql

Is there a way I can deny /bin/su while still allowing the rest of the /bin commands?

Best Answer

They can mount? Then they have everything to become superuser. There are some other interesting commends, too.

You really want to make /etc/sudoers a white-list, and not a black-list.

With proper file and directory access bits and user/group setings, you should not need sudo in your daily work.

Related Solutions

Linux – a safer no password sudo

Try adding this to your sudo options:

Defaults timestamp_timeout=0, tty_tickets

tty_tickets option (on by default) will make sudo ask password if it was not asked previously in that particular tty (including terminal emulators ptys), and timestamp_timeout=0 option will make it not ask it again in the whole session.

So, when you want to do some administrative operations, you can open terminal, sudo something, close it, and you will be safe again.

Linux – Whitelisting commands a user can use with sudo

Try to add something like this:

user ALL = (root) NOPASSWD: /bin/cmd1 args, /bin/cmd2 args

On the above line:

user is the user that needs access to the commands
/bin/cmd1 args, /bin/cmd2 args are the commands
root is the user under which the commands will be executed

Best Answer

Related Solutions

Linux – a safer no password sudo

Linux – Whitelisting commands a user can use with sudo

Related Question