want sudo but not sudo su - how

Hauan, David david.hauan at fairchild.af.mil
Mon Jun 14 07:47:27 PDT 2004



> -----Original Message-----
> From: John [mailto:lists at itconsultuk.net]
> Sent: Saturday, June 12, 2004 6:30 AM
> To: freebsd-questions at freebsd.org
> Subject: Re: want sudo but not sudo su - how
> 
> 
> On Sat, Jun 12, 2004 at 11:59:59AM +0000, Andy Smith wrote:
> 
> > It might be best to just say "I don't want you doing this" and then
> > punish people who do, since you do have logs.
> 
> yeah, thought this might be the case :| thanks for confirming it.
> 
> > If you're trying to restrict what people can do with sudo it will be
> > better to explicitly list each binary they can run as root and make
> > sure there's no way they can modify those binaries.
> 
> yeah, but too many binaries (or roles too diffuse, tightening 
> up of which 
> would be another way of handling it)
> 

visudo and add

john		ALL = /usr/bin/su [!-]*, !/usr/bin/su *root*

this will allow you to su to anyone but root

dave


More information about the freebsd-questions mailing list