Date: Mon, 14 Jun 2004 09:45:55 -0500 From: "Hauan, David" <david.hauan@fairchild.af.mil> To: "John" <lists@itconsultuk.net>, <freebsd-questions@freebsd.org> Subject: RE: want sudo but not sudo su - how Message-ID: <59FD5336D1B1FA40AF6DDD241D8DBAC65DB5BB@amcw2ms517.amc.ds.af.mil>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: John [mailto:lists@itconsultuk.net] > Sent: Saturday, June 12, 2004 6:30 AM > To: freebsd-questions@freebsd.org > Subject: Re: want sudo but not sudo su - how >=20 >=20 > On Sat, Jun 12, 2004 at 11:59:59AM +0000, Andy Smith wrote: >=20 > > It might be best to just say "I don't want you doing this" and then > > punish people who do, since you do have logs. >=20 > yeah, thought this might be the case :| thanks for confirming it. >=20 > > If you're trying to restrict what people can do with sudo it will be > > better to explicitly list each binary they can run as root and make > > sure there's no way they can modify those binaries. >=20 > yeah, but too many binaries (or roles too diffuse, tightening=20 > up of which=20 > would be another way of handling it) >=20 visudo and add john ALL =3D /usr/bin/su [!-]*, !/usr/bin/su *root* this will allow you to su to anyone but root dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59FD5336D1B1FA40AF6DDD241D8DBAC65DB5BB>