From owner-freebsd-questions@FreeBSD.ORG Mon Jun 14 14:47:27 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C44216A4CE for ; Mon, 14 Jun 2004 14:47:27 +0000 (GMT) Received: from amcuxfw802.amc.af.mil (amcuxfw802.amc.af.mil [131.9.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 298DD43D1F for ; Mon, 14 Jun 2004 14:47:26 +0000 (GMT) (envelope-from david.hauan@fairchild.af.mil) Received: from amc.af.mil ([131.9.19.245]) by fw2.amc.af.mil with ESMTP id i5EEnrXp018397 for ; Mon, 14 Jun 2004 09:49:53 -0500 (CDT) Received: from ([131.9.25.136]) by amcotav801.amc.af.mil with ESMTP ; Mon, 14 Jun 2004 09:46:02 -0500 Received: from amcw2ms517.amc.ds.af.mil ([131.9.19.74]) by AMCW2BH505.amc.ds.af.mil with Microsoft SMTPSVC(5.0.2195.6713); Mon, 14 Jun 2004 09:45:55 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 14 Jun 2004 09:45:55 -0500 Message-ID: <59FD5336D1B1FA40AF6DDD241D8DBAC65DB5BB@amcw2ms517.amc.ds.af.mil> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: want sudo but not sudo su - how Thread-Index: AcRQhImk06FkEEgeSJ2JHeMyhm/KUwBmfPkg From: "Hauan, David" To: "John" , X-OriginalArrivalTime: 14 Jun 2004 14:45:55.0826 (UTC) FILETIME=[4C721D20:01C4521E] Subject: RE: want sudo but not sudo su - how X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2004 14:47:27 -0000 > -----Original Message----- > From: John [mailto:lists@itconsultuk.net] > Sent: Saturday, June 12, 2004 6:30 AM > To: freebsd-questions@freebsd.org > Subject: Re: want sudo but not sudo su - how >=20 >=20 > On Sat, Jun 12, 2004 at 11:59:59AM +0000, Andy Smith wrote: >=20 > > It might be best to just say "I don't want you doing this" and then > > punish people who do, since you do have logs. >=20 > yeah, thought this might be the case :| thanks for confirming it. >=20 > > If you're trying to restrict what people can do with sudo it will be > > better to explicitly list each binary they can run as root and make > > sure there's no way they can modify those binaries. >=20 > yeah, but too many binaries (or roles too diffuse, tightening=20 > up of which=20 > would be another way of handling it) >=20 visudo and add john ALL =3D /usr/bin/su [!-]*, !/usr/bin/su *root* this will allow you to su to anyone but root dave