Hi,
We have configured, different level of users and access. Even I have tried disabling /sbin/nologin for root. Still user is able to get into root by using sudo su - and sudo bash -i . We have to restrict root access for security purpose
Is there any way to do that ?.
How can we disable sudo su - and sudo bash -i
Re: How can we disable sudo su - and sudo bash -i
Don't give them full sudo? You appear to have given your users the ability to execute anything they like rather than just what they need.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: How can we disable sudo su - and sudo bash -i
Hi,
We have different level of engineers like l0 , l1 and devops.. I have restricted for l0 and l1 with specific command execution. But for devops. gave full permission means. sudo access and disabled root login as like /sbin/nologin . But still from user, if they execute sudo bash -i , They can get into root.
How can we restrict, that no one should be able to get root access even sudo.
We have different level of engineers like l0 , l1 and devops.. I have restricted for l0 and l1 with specific command execution. But for devops. gave full permission means. sudo access and disabled root login as like /sbin/nologin . But still from user, if they execute sudo bash -i , They can get into root.
How can we restrict, that no one should be able to get root access even sudo.
Re: How can we disable sudo su - and sudo bash -i
Thou shalt not disable the root.
The sudo allows user X to run command Y as user Z. If you let the X to run shell as root, then that is what they can do.
The solution is to not give full permissions to the devops.
Note that if you let a user to install a package, then they will install a package that grants them full permissions.
The sudo allows user X to run command Y as user Z. If you let the X to run shell as root, then that is what they can do.
The solution is to not give full permissions to the devops.
Note that if you let a user to install a package, then they will install a package that grants them full permissions.
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: How can we disable sudo su - and sudo bash -i
Recently I read why blocking sudo su - is useless.
You can block that, but user with unrestricted rights can do the following and still get root:
Another example:
Both examples show how such kind of limitations are useless. Provide a list of commands in sudo and assign them to the engineers , once needed.
You can block that, but user with unrestricted rights can do the following and still get root:
Code: Select all
sudo cp -a /bin/bash /my-other-shell; sudo /my-other-shell
Code: Select all
sudo mv /sbin/su /sbin/my-not-limited-su
sudo /sbin/my/not-limited-su -