Allow user sudo, but exclude some privileges (run shells, etc)

By neokrates, written on April 20, 2010


  • Join date: 11-30-99
  • Posts: 224
View Counter:
Rate it
  • Your skill as shell programmer is?

    View Results

    Loading ... Loading ...
  • bodytext bodytext bodytext

You want to give someone enough permissions and thus allow him “sudo”. But you want to prohibit some commands. Here is how.


  • Ubuntu Linux

Should also work for:

  • Most Linux distos with sudo concept

Step 1.

Open /etc/sudoers

You must be root to do that. Then use your favorite editor (I use vim):

vim /etc/sudoers

Step 2.

Enable user for sudo, with exclusions

For example, I have the almostsudouser. Now I allow him sudo command, but not su and no shell execution under sudo:

I add to /etc/sudoers:

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \

Cmnd_Alias SU = /usr/bin/su

almostsudouser ALL = (ALL)ALL, !SU, !SHELLS

⚠ In some cases, /etc/sudoers already has the Cmnd_Alias definitions for both SHELLS and SU. If that is not your case, make sure you have the definitions and they are valid, i.e. /usr/bin/sh, /usr/bin/su are really there.

Be Sociable, Share!
Does that help to solve your problem?
VN:F [1.8.5_1061]
Rating: -1 (from 7 votes)
3 votes 'YES'  4 votes 'NO'


Be Sociable, Share!


4 Responses to “Allow user sudo, but exclude some privileges (run shells, etc)”

  1. Steve says:

    Entering this in the sudo config file:

      1. Allows people in group wheel to run all commands

    %wheel  ALL=(ALL)       ALL,!SU,!SHELLS
    results in
    visudo: Warning: Cmnd_Alias `SU’ referenced but not defined
    visudo: Warning: Cmnd_Alias `SHELLS’ referenced but not defined

    What do you have for the Cmnd_Alias lines for SU and SHELLS?

    • Oh, i thought this part is now default…
      As i can remember, in my sudoers it was

      Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
      /usr/local/bin/tcsh, /usr/bin/rsh, \
      Cmnd_Alias SU = /usr/bin/su

      Will update this howto. Thanks Steve!

  2. opsokkebalje says:

    Well,  this will still work:
    ~# sudo su –

    • admin says:

      well, your command didn’t work for me. i wonder why it worked in your case.
      Actually, /usr/bin/su should not be runnable. (because of !SU)
      What does ~# which su say? is it /usr/bin/su or maybe /bin/su

Leave a Reply