Date: Mon, 14 Jun 2004 09:45:55 -0500 From: "Hauan, David" <david.hauan@fairchild.af.mil> To: "John" <lists@itconsultuk.net>, <freebsd-questions@freebsd.org> Subject: RE: want sudo but not sudo su - how Message-ID: <59FD5336D1B1FA40AF6DDD241D8DBAC65DB5BB@amcw2ms517.amc.ds.af.mil>
index | next in thread | raw e-mail
> -----Original Message----- > From: John [mailto:lists@itconsultuk.net] > Sent: Saturday, June 12, 2004 6:30 AM > To: freebsd-questions@freebsd.org > Subject: Re: want sudo but not sudo su - how > > > On Sat, Jun 12, 2004 at 11:59:59AM +0000, Andy Smith wrote: > > > It might be best to just say "I don't want you doing this" and then > > punish people who do, since you do have logs. > > yeah, thought this might be the case :| thanks for confirming it. > > > If you're trying to restrict what people can do with sudo it will be > > better to explicitly list each binary they can run as root and make > > sure there's no way they can modify those binaries. > > yeah, but too many binaries (or roles too diffuse, tightening > up of which > would be another way of handling it) > visudo and add john ALL = /usr/bin/su [!-]*, !/usr/bin/su *root* this will allow you to su to anyone but root davehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59FD5336D1B1FA40AF6DDD241D8DBAC65DB5BB>