5.14. Restricting root’s Abilities via sudo
Problem
You want to let a user run all commands as root except for specific exceptions, such as su.
Solution
Don’t.
Instead, list all the permissible commands explicitly in /etc/sudoers . Don’t try the reverse—letting the user run all commands as root “except these few”—which is prohibitively difficult to do securely.
Discussion
It’s tempting to try excluding dangerous commands with the “!” syntax:
/etc/sudoers:
smith ALL = (root) !/usr/bin/su ...but this technique is fraught with problems. A savvy user can easily get around it by renaming the forbidden executables:
smith$ ln -s /usr/bin/su gimmeroot smith$ sudo gimmeroot
Instead, we recommend listing all acceptable commands individually, making sure that none have shell escapes.
See Also
sudo(8), sudoers(5).
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
