How to disable an option from command

[sasikantheda]

Hi All,
I am a new bee facing problem with sudo -s option. I wanted to disble sudo -s option at all.

Ex: sudo ls
(should work)
where
sudo -s ls
(shouldnot work)


please help with your ideas.

[Daan]

Hi sasikantheda,

I am not sure it easy to disable an option for sudo. One way would be change the source code and than compile your own version of sudo. Another way would be to rename the sudo binary, replace it with a script that does nothing if executed with the option -s and else just passes everything on to the renamed binary. But both options seem rather ugly to me.

But why would you want to disable this option?

Regards,

Daan

[sasikantheda]

Thank you Daan for sharing your ideas.

My problem is to limit the sudo user editing the visudo (/etc/sudoers).
This i have achieved by adding a line in /etc/sudoers as sudo user ALL = (ALL) , !/usr/sbin/visudo
But this can be by passed by using sudo -s (sudo user can now change the sudoers file).
so i thought to remove this option.

please help with your ideas.

[atreyu]

Well, as sudo -s means to run an interactive shell, how about listing that shell as a forbidden command, as well, in visudo? e.g.:

Code:

sudouser ALL = (ALL) !/usr/sbin/visudo
sudouser ALL = (ALL) !/bin/bash

of course, this may break other things you want the sudo user to be able to do...just an idea. Daan's idea is good, too.

[sasikantheda]

Thank you atreyu for sharing your Idea

The code suudouser ALL = (ALL) !/bin/bash
solved by purpose.

Thanks a lot

[Cabhan]

This does not actually accomplish what you want.

Yes, it does not allow me to run sudo -s. But I could do:

Code:

$ cp /bin/bash ~/my_bins/bash
$ sudo ~/my_bins/bash
# vi /etc/sudoers

If you are allowing a user to become root via sudo, they can do literally anything. If you do not want the user to be able to do absolutely anything, then they should not be able to sudo as root.

The only actual way to prevent a user from editing the /etc/sudoers file is to ensure that they can never access an account that can write to the file.

[atreyu]

Yes, that's very true. There are other ways, too. I usually make the practice of having a list of sudo commands that a user can run versus a list of ones they can't.