disable "sudo su"

Matthew Flaschen matthew.flaschen at gatech.edu
Wed Mar 14 22:26:47 UTC 2007


Alan Pope wrote:
> On Wed, Mar 14, 2007 at 06:25:34PM +0530, Sumith augustine wrote:
>> Hi all,
>>
>>
>> Inorder to get the log of all the commands used by the users i ve added them
>> in my /etc/sudoers file by adding a  line
>> "%username ALL=(ALL) ALL".
>>
>> I did this because i want them to ve root previlage, but at the same time i
>> dont want them to use the command "sudo su" :-)
>> How can i dissable "sudo su" ?
>>
> 
> You are better of specifying exactly what commands you *do* want them to use 
> rather than those that you don't:-

Also, you don't need to allow any text viewing programs, which are
vulnerable to privilege escalation (forget shell escapes; emacs has
built-in shells).  Instead, only allow sudoedit, which doesn't run any
other program as root.

Matthew Flaschen




More information about the ubuntu-users mailing list