Allow user sudo, but exclude some privileges (run shells, etc)By neokrates, written on April 20, 2010
You want to give someone enough permissions and thus allow him “sudo”. But you want to prohibit some commands. Here is how.
- Ubuntu Linux
Should also work for:
- Most Linux distos with sudo concept
You must be root to do that. Then use your favorite editor (I use vim):
Enable user for sudo, with exclusions
For example, I have the almostsudouser. Now I allow him sudo command, but not su and no shell execution under sudo:
I add to /etc/sudoers:
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ /usr/local/bin/tcsh, /usr/bin/rsh, \ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su almostsudouser ALL = (ALL)ALL, !SU, !SHELLS
⚠ In some cases, /etc/sudoers already has the
Cmnd_Alias definitions for both
SU. If that is not your case, make sure you have the definitions and they are valid, i.e. /usr/bin/sh, /usr/bin/su are really there.
INCOMING SEARCH TERMS