How to prevent sudoers users not to run restricted sudo commands after switching to root
Issue
- We granted
sudouser
the right to run all commands excepted some administrative commands such as/usr/sbin/useradd
, by this adding this entry in/etc/sudoers
file :
sudouser ALL=(ALL) ALL, !/usr/bin/passwd root, !/usr/bin/passwd, !/usr/sbin/su, !/usr/sbin/su root, !/usr/sbin/visudo, !/usr/bin/vi /etc/sudoers, !/usr/bin/vi /etc/passwd, !/usr/bin/vi /etc/group, !/usr/bin/su, !/usr/bin/sudo su, !/usr/sbin/groupadd, !/usr/sbin/useradd, !/bin/chown, !/usr/sbin/usermod
- But the problem is after
sudouser
switch toroot
by running commandsudo -s
, he can run any command asroot
which includes the restricted commands above. We do not want this to happen.
Environment
- Red Hat Enterprise Linux 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.