HOW TO: disable sudoer from editing /etc/sudoers file?

Solution 1:

This depends on how much access you have given people who use sudo. If you have given people sufficient privilege to enable them to use sudo in an unrestricted manner then you pretty much have to trust them.

You can explicitly deny access to the visudo command

sudouser ALL=ALL, !/usr/sbin/visudo

then

$ sudo visudo
[sudo] password for sudouser:
Sorry, user sudouser is not allowed to execute '/usr/sbin/visudo' as root on host1.lan

however this doesn't stop people from, for example, running a shell and then running visudo

sudo -s
visudo

Bingo !

The only other solution is to reduce the scope of people's access via sudo. To do this you would have to analyse their privilege requirements and give them access via sudo to only those commands that they really need by use of command aliases etc.

Solution 2:

Using traditional unix permissions, I think that is hard: as long as you can run any command via sudo that will allow you to do editing[*], then you're kinda screwed.

There are other security models available in Linux, though not so widely deployed and configured; for example, SELinux and AppArmour. You might be able to configure those to restrict access to what you desire.

Starting with a goal of "I want my sudo users to be able to do anything" and then taking away certain privileges is probably a hard way to do things: there are many ways to modify sudoers that don't involve directly editing (for example, replace the mail startup script with a script that i) copies over a new sudoers and then starts sendmail; reboot system; voila!)

In that sense, if you trust your users to do anything to your system, then you have to trust them to do anything to your system (on a technical level, at least).