How can we disable sudo su - and sudo bash -i

Support for security such as Firewalls and securing linux
Post Reply
keerthi
Posts: 2
Joined: 2019/04/03 10:42:58

How can we disable sudo su - and sudo bash -i

Post by keerthi » 2019/04/03 10:45:29

Hi,

We have configured, different level of users and access. Even I have tried disabling /sbin/nologin for root. Still user is able to get into root by using sudo su - and sudo bash -i . We have to restrict root access for security purpose

Is there any way to do that ?.

User avatar
TrevorH
Forum Moderator
Posts: 25608
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How can we disable sudo su - and sudo bash -i

Post by TrevorH » 2019/04/03 15:55:13

Don't give them full sudo? You appear to have given your users the ability to execute anything they like rather than just what they need.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

keerthi
Posts: 2
Joined: 2019/04/03 10:42:58

Re: How can we disable sudo su - and sudo bash -i

Post by keerthi » 2019/04/04 08:45:10

Hi,

We have different level of engineers like l0 , l1 and devops.. I have restricted for l0 and l1 with specific command execution. But for devops. gave full permission means. sudo access and disabled root login as like /sbin/nologin . But still from user, if they execute sudo bash -i , They can get into root.

How can we restrict, that no one should be able to get root access even sudo.

User avatar
jlehtone
Posts: 2149
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How can we disable sudo su - and sudo bash -i

Post by jlehtone » 2019/04/04 10:11:33

Thou shalt not disable the root.


The sudo allows user X to run command Y as user Z. If you let the X to run shell as root, then that is what they can do.

The solution is to not give full permissions to the devops.


Note that if you let a user to install a package, then they will install a package that grants them full permissions.

hunter86_bg
Posts: 1758
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: How can we disable sudo su - and sudo bash -i

Post by hunter86_bg » 2019/04/09 04:04:30

Recently I read why blocking sudo su - is useless.
You can block that, but user with unrestricted rights can do the following and still get root:

Code: Select all

sudo cp -a /bin/bash /my-other-shell;  sudo /my-other-shell
Another example:

Code: Select all

sudo mv /sbin/su /sbin/my-not-limited-su
sudo /sbin/my/not-limited-su -
Both examples show how such kind of limitations are useless. Provide a list of commands in sudo and assign them to the engineers , once needed.

Post Reply