sudo su runs without password prompt?

Question

So here's the problem. We've got the /etc/sudoers file set up so that users can run commands from /bin like "cat" or "mkdir" without entering a password. The problem is that the "su" command is also in /bin, so if they enter "sudo su", it gives them root access without a password. Here's the /etc/sudoers file:

Defaults targetpw    
%users ALL=(ALL) ALL 

root    ALL=(ALL) ALL

support ALL=(ALL) NOPASSWD: /sbin/, /bin/, /opt/, /etc/init.d/, /elo/
support ALL=(ALL) NOPASSWD: /usr/bin/mysql

Is there a way I can deny /bin/su while still allowing the rest of the /bin commands?

ln /bin/su /dirnotinsudoers/su; rm /bin/su – cularis May 25 '11 at 13:03 — cularis, May 25 '11 at 13:03

score 7 · Accepted Answer · answered May 25 '11 at 13:02

7

They can mount? Then they have everything to become superuser. There are some other interesting commends, too.

You really want to make /etc/sudoers a white-list, and not a black-list.

With proper file and directory access bits and user/group setings, you should not need sudo in your daily work.

answered May 25 '11 at 13:02

Turbo J

1,999
11
14

Okay, so white-listing is the way to go. Thanks! – Ed Manet May 25 '11 at 13:17

sudo su runs without password prompt?

1 Answers1