[prev in list] [next in list] [prev in thread] [next in thread]
List: sudo-users
Subject: Re: [sudo-users] How to Block with wildcards: sudo su?
From: Shawn McMahon <syberghost () gmail ! com>
Date: 2012-05-18 20:44:38
Message-ID: CAKDhi0T7-o0efXtgxRM-EEOQxmaCazCoVTSoL6SH8RsDRkqrDA () mail ! gmail ! com
[Download RAW message or body]
That's a bad idea in general, since it's trivial to circumvent. Better would be:
ORACLE_BDA SERVERS_DB = (oracle) ALL
..and then teach them to run:
sudo -iu oracle
...in the rare instance they ACTUALLY need "su - oracle", and more often:
sudo -iu oracle /path/to/some/command
I'd probably also look at adding log_output to that rule.
On Fri, May 18, 2012 at 3:14 PM, Jose <j.sejo1@gmail.com> wrote:
> Hello
>
> I am configured sudo on AIX (Unix IBM). sudo with wildcards
>
>
> The users administrator oracle, because not using root.
>
> ORACLE_BDA SERVERS_DB = NOPASSWD: ALL, !/usr/bin/ksh, !/usr/bin/bash,
> !/usr/bin/vi /etc/sudoers, !/usr/sbin/visudo, !/usr/bin/smit, !/usr/b
> in/smitty, !/usr/bin/* root, !/usr/bin/* bash, !/usr/bin/* ksh, etc etc etc.
>
>
> It is block: sudo visudo, sudo root passwd, sudo bash, sudo ksh, sudo
> -s, edit visudo, etc etc.
>
> But no: sudo su and the users swith how root
>
> My Answers:
>
> How block "sudo su" on sudoers?
>
> !/usr/bin/su ===> NO
>
> because The users need: sudo su oracle
>
> Thanks.
>
> Sorry for my english.
>
>
> --
> #############################
> # Sistema Operativo: Debian #
> # Caracas, Venezuela #
> #############################
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users@sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic