How can we disable sudo su - and sudo bash -i

Support for security such as Firewalls and securing linux
Post Reply
keerthi
Posts: 2
Joined: 2019/04/03 10:42:58

How can we disable sudo su - and sudo bash -i

Post by keerthi » 2019/04/03 10:45:29

Hi,

We have configured, different level of users and access. Even I have tried disabling /sbin/nologin for root. Still user is able to get into root by using sudo su - and sudo bash -i . We have to restrict root access for security purpose

Is there any way to do that ?.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How can we disable sudo su - and sudo bash -i

Post by TrevorH » 2019/04/03 15:55:13

Don't give them full sudo? You appear to have given your users the ability to execute anything they like rather than just what they need.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

keerthi
Posts: 2
Joined: 2019/04/03 10:42:58

Re: How can we disable sudo su - and sudo bash -i

Post by keerthi » 2019/04/04 08:45:10

Hi,

We have different level of engineers like l0 , l1 and devops.. I have restricted for l0 and l1 with specific command execution. But for devops. gave full permission means. sudo access and disabled root login as like /sbin/nologin . But still from user, if they execute sudo bash -i , They can get into root.

How can we restrict, that no one should be able to get root access even sudo.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How can we disable sudo su - and sudo bash -i

Post by jlehtone » 2019/04/04 10:11:33

Thou shalt not disable the root.


The sudo allows user X to run command Y as user Z. If you let the X to run shell as root, then that is what they can do.

The solution is to not give full permissions to the devops.


Note that if you let a user to install a package, then they will install a package that grants them full permissions.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: How can we disable sudo su - and sudo bash -i

Post by hunter86_bg » 2019/04/09 04:04:30

Recently I read why blocking sudo su - is useless.
You can block that, but user with unrestricted rights can do the following and still get root:

Code: Select all

sudo cp -a /bin/bash /my-other-shell;  sudo /my-other-shell
Another example:

Code: Select all

sudo mv /sbin/su /sbin/my-not-limited-su
sudo /sbin/my/not-limited-su -
Both examples show how such kind of limitations are useless. Provide a list of commands in sudo and assign them to the engineers , once needed.

Post Reply