how to deny "sudo su"
In order to properly avoid this you must take a different approach.
If you disallow sudo su
I can still run sudo -u root /bin/sh
if you disallow this I will write a small wrapper script and execute this...
The only way to solve this is to only allow the needed commands.
% sudo ALL = (ALL) NOPASSWD: ALL
You have effectively given the users in the sudo group full unrestricted control over your system. Trying to deny them access to the su
binary is as others have noted futile as they already have root privilege via sudo and membership of the group.
You should analyse the workflow of the users in the sudo group to determine which commands they need to run as root and use sudo to give them privilege access to those commands only. If necessary write scripts and give the sudo group access to run the script (make sure they don't have write access to it though) rather than the individual commands within it.
For example you may determine that your users need to be able to use kill
and all of the commands in the directory /usr/local/sudocmds
(where your local scripts live) so you would give them sudo access like so
%sudo ALL=NOPASSWD: /usr/bin/kill, /usr/local/sudocmds
You can use command aliases too
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump
%sudo ALL=NOPASSWD: PRINTING, DUMPS, /usr/bin/kill, /usr/local/sudocmds
Which adds the commands in the PRINTING
and DUMPS
Cmnd_Alias to the list of commands that the sudo group can run.
Take a look at the sudoers man page for more information and examples.