Try this:
Cmnd_Alias SU=/bin/su -
put this at the end of the sudoers file:
ALL ALL=!SU
If you want exceptions to the ALL, put them after.
Michael Hulet
Network System Administrator
ITTC, University of Kansas
On Thu, 16 Mar 2000, David Thompson wrote:
> Hi,
>
> I'm configuring ssh 1.5.9 on HP-UX 10.20, and I'm attempting to restrict root shells
>for the non-UNIX techies while still allowing them to su to other users. I've set up
>the following:
>
> ##
> # User alias specification
> ##
>
> User_Alias OTHER_SYSADS=usera,userb
> User_Alias UNIX_SYSADS=self
>
> ...
>
> ##
> # Command alias specification
> ##
>
> Cmnd_Alias SHELLS=/usr/bin/sh,/sbin/sh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/p
> osix/sh,/usr/bin/keysh,/usr/old/bin/sh,/usr/bin/rsh,/usr/bin/rksh
> Cmnd_Alias SUPER_USER=/usr/bin/su *root*,/usr/bin/su [!-]*,/bin/su
>*root*,/bin/su [!-]*
> Cmnd_Alias PASSWORD=/bin/passwd root
> Cmnd_Alias VISUDO=/usr/local/sbin/visudo
>
> ...
>
> ##
> # User specification
> ##
>
> # UNIX sysadmins can run anything without a password
> UNIX_SYSADS ALL=NOPASSWD:ALL
>
> # Other sysadmins can run most things but can't su to root, run root shells, or
> # edit sudoers, the sudo log, or syslog.conf.
> OTHER_SYSADS
>ALL=NOPASSWD:ALL,!SHELLS,!SUPER_USER,!VISUDO,!PASSWORD,!SUDO_LOG
> ,!SYSLOG_CONF
>
> This configuration doesn't work quite as planned. The problem is that I can't
>figure out how to allow the other admins to su to other users except root. I know
>the sample sudoers file that comes with the sudo package shows the following lijnes
>to restrict root access:
>
> # somedude may su to anyone but root and flags are not allowed
> somedude ALL=/usr/bin/su [!-]*, !/usr/bin/su *root*
>
> However, this seems to still allow root access if somedude simply types "sudo su -".
>
> Can anyone help?
>
> Thanks,
>
> -Dave
>
>
