So here's the problem. We've got the /etc/sudoers file set up so that users can run commands from /bin like "cat" or "mkdir" without entering a password.
The problem is that the "su" command is also in /bin, so if they enter "sudo su", it gives them root access without a password.
Here's the /etc/sudoers file:
Defaults targetpw
%users ALL=(ALL) ALL
root ALL=(ALL) ALL
support ALL=(ALL) NOPASSWD: /sbin/, /bin/, /opt/, /etc/init.d/, /elo/
support ALL=(ALL) NOPASSWD: /usr/bin/mysql
Is there a way I can deny /bin/su while still allowing the rest of the /bin commands?
Best Answer
They can
mount
? Then they have everything to become superuser. There are some other interesting commends, too.You really want to make
/etc/sudoers
a white-list, and not a black-list.With proper file and directory access bits and user/group setings, you should not need sudo in your daily work.