Sudo Issue

[syd05]

Hi,

As a part of accounting process in RHEL I've configured sudo access for users on the system. Where in the users could execute all commands as sudo except for 'sudo su'

But there seems to be a way to circumvent it. If i type sudo sudo -i I get to an interactive shell prompt as root. This is something i would like to block. Googling for the same has so fare led me nowhere.

Would appreciate help in this regards

--Syd

[Lazydog]

There are other way to get around this also, for example

sudo bash

Then once at the prompt just issue su - and you are root.

Your best bet is to only allow then to run the commands they need in sudo not everything.

[Rubberman]

There are other way to get around this also, for example

sudo bash

Then once at the prompt just issue su - and you are root.

Your best bet is to only allow then to run the commands they need in sudo not everything.

Indeed! Giving sudo access to everyone is a VERY big security hole...

[syd05]

Hi,

It's not feasible for me to specify all the commands. The basic reason being that I've felt the need to configure sudo as an accounting process rather than security process ( organization policy). I need a track of commands entered by system admins. As per your feedbacks, seems like there is no solution to the issue I'm facing

On a lighter note, thanx for pointing out to another way to circumvent the sudo setup. sudo bash didnt come to my mind

--Syd

[Irithori]

Sysadmins are the one group who actually needs root to fulfill its role.

Imho, trying to blacklist certain commands is a action of futility and counter-productivity.

But what you might want to consider:
Introduce and enforce a config management tool like Cfengine or (better imho: ) Puppet

Combine that with a version control system of your choice (svn, git, etc) and you have all the visibility and accountability you need

This is, what was established at my place:
- sysadmin commits a change to svn (for example a apache conf change)
- cfengine runs every 15min
- first action of cfengine is svn up (aka: pick up the latest changes)
- cfengine distributes the changed config files to the appropiate group of servers and also triggers dependend actions: (for the apache config example: reload (or restart) apache)

As added boni:
- rollbacks are easy
- on top of the usual svn log, svn blame, etc you can set up something like CVSTrac to even more visualize what is going on.

[rajredison]

Hi,
You can restrict the User to do "su - ID " or "su ID" on the system, only certified User can only switch to any particular account,except root,Follow below steps

Step 1. Create a group on the server to allow the member of this group can only use “su” command to switch the particular application account or ‘root’.

Example: #groupadd su2oracle

Step2. Add the user’s id into the newly created group so that they can switch that account

Example: add these ids (raj) to su2oracle group.
#usermod -G su2oracle raj


Step 3 : create new entry in /etc/sudores against respective group & take below as a example.

Example:
Cmnd_Alias SU2ORACLE=/bin/su - oracle,/bin/su oracle
%su2oracle ALL= (ALL) NOPASSWD: SU2ORACLE


Step 4: remove the execute permission for others on su command.

#chmod o-x /bin/su


Thanks
Raj Kishore