Page 1 of 1

How can we disable sudo su - and sudo bash -i

Posted: 2019/04/03 10:45:29
by keerthi
Hi,

We have configured, different level of users and access. Even I have tried disabling /sbin/nologin for root. Still user is able to get into root by using sudo su - and sudo bash -i . We have to restrict root access for security purpose

Is there any way to do that ?.

Re: How can we disable sudo su - and sudo bash -i

Posted: 2019/04/03 15:55:13
by TrevorH
Don't give them full sudo? You appear to have given your users the ability to execute anything they like rather than just what they need.

Re: How can we disable sudo su - and sudo bash -i

Posted: 2019/04/04 08:45:10
by keerthi
Hi,

We have different level of engineers like l0 , l1 and devops.. I have restricted for l0 and l1 with specific command execution. But for devops. gave full permission means. sudo access and disabled root login as like /sbin/nologin . But still from user, if they execute sudo bash -i , They can get into root.

How can we restrict, that no one should be able to get root access even sudo.

Re: How can we disable sudo su - and sudo bash -i

Posted: 2019/04/04 10:11:33
by jlehtone
Thou shalt not disable the root.


The sudo allows user X to run command Y as user Z. If you let the X to run shell as root, then that is what they can do.

The solution is to not give full permissions to the devops.


Note that if you let a user to install a package, then they will install a package that grants them full permissions.

Re: How can we disable sudo su - and sudo bash -i

Posted: 2019/04/09 04:04:30
by hunter86_bg
Recently I read why blocking sudo su - is useless.
You can block that, but user with unrestricted rights can do the following and still get root:

Code: Select all

sudo cp -a /bin/bash /my-other-shell;  sudo /my-other-shell
Another example:

Code: Select all

sudo mv /sbin/su /sbin/my-not-limited-su
sudo /sbin/my/not-limited-su -
Both examples show how such kind of limitations are useless. Provide a list of commands in sudo and assign them to the engineers , once needed.