Allow user sudo, but exclude some privileges (run shells, etc)

By neokrates, written on April 20, 2010

howto

neokrates
Email: uwarov@yahoo.com
Website: http://www.thinkplexx.com
Join date: 05-31-09
Posts: 20

Rate it

(No Ratings Yet)

Loading ...

Poll

Best shells (or command line language) are?
- Bash (47%, 9 Votes)
- Different shell (21%, 4 Votes)
- Zsh (21%, 4 Votes)
- Csh (11%, 2 Votes)
- Power shell (5%, 1 Votes)
- Ksh (5%, 1 Votes)
- Lush (0%, 0 Votes)
- Quicksilver (0%, 0 Votes)
- IPython (0%, 0 Votes)
- Rush (0%, 0 Votes)
- Pash (0%, 0 Votes)
- Dos cl (0%, 0 Votes)
- Fish shell (0%, 0 Votes)
Total Voters: 19
Vote
Loading ...

Most popular search terms:

You want to give someone enough permissions and thus allow him “sudo”. But you want to prohibit some commands. Here is how.

Software:

Ubuntu Linux

Should also work for:

Most Linux distos with sudo concept

Step 1.

Open /etc/sudoers

You must be root to do that. Then use your favorite editor (I use vim):

vim /etc/sudoers

Step 2.

Enable user for sudo, with exclusions

For example, I have the almostsudouser. Now I allow him sudo command, but not su and no shell execution under sudo:

I add to /etc/sudoers:

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
 
Cmnd_Alias SU = /usr/bin/su
 
almostsudouser ALL = (ALL)ALL, !SU, !SHELLS

In some cases, /etc/sudoers already has the Cmnd_Alias definitions for both SHELLS and SU. If that is not your case, make sure you have the definitions and they are valid, i.e. /usr/bin/sh, /usr/bin/su are really there.
Done.

Does that help to solve your problem?

Rating: +1 (from 3 votes)

2 votes 'YES'

1 votes 'NO'

LEARN MORE (amazon bookstore)

TAGS	administration bash linux sudo sudoers ubuntu user setup

Pages

Posts

nope :(

SOCIAL

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

INCOMING SEARCH TERMS

4 Responses to “Allow user sudo, but exclude some privileges (run shells, etc)”

Steve says:

October 18, 2010 at 21:58

Entering this in the sudo config file:
1. 1. Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL,!SU,!SHELLS
results in
visudo: Warning: Cmnd_Alias `SU’ referenced but not defined
visudo: Warning: Cmnd_Alias `SHELLS’ referenced but not defined

What do you have for the Cmnd_Alias lines for SU and SHELLS?

Like or Dislike: 0 0

Reply
- neokrates says:
  
  October 19, 2010 at 00:47
  
  Oh, i thought this part is now default…
  As i can remember, in my sudoers it was
  
  Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su
  
  Will update this howto. Thanks Steve!
  
  Like or Dislike: 0 0
  
  Reply
opsokkebalje says:

April 25, 2013 at 09:58

Well, this will still work:
~# sudo su -

Like or Dislike: 0 0

Reply
- admin says:
  
  April 25, 2013 at 17:46
  
  well, your command didn’t work for me. i wonder why it worked in your case.
  Actually, /usr/bin/su should not be runnable. (because of !SU)
  What does ~# which su say? is it /usr/bin/su or maybe /bin/su
  
  Like or Dislike: 0 0
  
  Reply