Recipe 5.14 Restricting root's Abilities via sudo5.14.1 ProblemYou want to let a user run all commands as root except for specific exceptions, such as su. 5.14.2 SolutionDon't. Instead, list all the permissible commands explicitly in /etc/sudoers. Don't try the reverse letting the user run all commands as root "except these few" which is prohibitively difficult to do securely. 5.14.3 DiscussionIt's tempting to try excluding dangerous commands with the "!" syntax: /etc/sudoers: smith ALL = (root) !/usr/bin/su ... but this technique is fraught with problems. A savvy user can easily get around it by renaming the forbidden executables: smith$ ln -s /usr/bin/su gimmeroot smith$ sudo gimmeroot Instead, we recommend listing all acceptable commands individually, making sure that none have shell escapes. 5.14.4 See Alsosudo(8), sudoers(5). |