Disabling sudo su in Ubuntu 14.04
I need to accomplish the following things.
Disable Ubuntu user.
Disable
sudo sufor all users.Each user should able to execute
sudo <command>.
I have modified my sudoer file as below:
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Cmnd_Alias NSHELLS = /bin/sh,/bin/bash
Cmnd_Alias NSU = /bin/su
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
**%sysadmins ALL=(ALL) NOPASSWD:ALL ,!NSHELLS, !NSU**
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
Still, I can access sudo using the command:sudo sudo su
How to disable this? Any help is highly appreciated.
With respect, if you get what you ask for and somebody can run sudo <anything but su>, they can:
- Run
sudo bash - Run
sudo -i - Create a script that does something similar (including directly running
su). - Just edit the configuration with
sudo visudo
The point I'm trying to make is that if you allow people to run anything (or even nearly anything), they are as good as root. There are incalculable numbers of ways they could circumvent you.
If you only want them to be able to run a finite number of commands as root, create a new group (eg semisudo) and add each command to sudoers, like so:
%semisudo localhost=/path/to/command
%semisudo localhost=/path/to/another/command
And then add the user to that group and kick them out of admin/sudo.
Edit /etc/sudoers:
root ALL=(ALL:ALL) ALL, !/usr/bin/su