0

I have a list of system users who have access to almost everything via sudo. Now I would like to restrict their sudo access for command su.

I would like to restrict su command for every user on system and allow every system user to be able to su to a specific user (in this case it is tomcat):

#user_name should be able to do *sudo su tomcat* but not *sudo su another_user* user_name ALL=/bin/, !/bin/su, /bin/su tomcat

I tried different combination for this but unfortunately couldn't make it work.

Here is my complete /etc/sudoers file:

Defaults !visiblepw Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d

The /etc/sudoers.d/ has another file which contains the following:

meraj ALL=(ALL) NOPASSWD:ALL siraj ALL=(ALL) NOPASSWD:ALL # Members of the group 'sysadmin' may gain root privileges %sysadmin ALL=(ALL) NOPASSWD:ALL

Update 2: When I do sudo -l from user meraj, I get this:

Matching Defaults entries for meraj on this host: !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User meraj may run the following commands on this host: (ALL) NOPASSWD: ALL (root) ALL, (root) !/bin/su (root) /bin/su tomcat

When I do sudo /bin/su tomcat or sudo /bin/su siraj then it asks me the password:

[sudo] password for meraj:
Improve this question

1 Answer 1

Reset to default
2 
username ALL=(root) /bin/su tomcat

works for me. If it doesn't work for you, it may be because of another entry in the sudoers file, that permits a much wider range of commands, possibly unrestricted access to /bin/su - we'd need to see the whole of your sudoers file, unredacted, as well as detailed cut-and-paste of the failures, to be able to comment on that.

Edit: you have clarified that you are elsewhere granting the users permissions to do everything. I found that explicitly removing sudo privileges to do su, with eg

username ALL=(root) ALL, !/bin/su

before giving them back just for tomcat with the line I quote at the beginning of my answer, worked. If this doesn't work for you, could you show us the output of sudo -l for such a user, plus the outputs of sudo /bin/su tomcat and sudo /bin/su userC (where userC is a third user)?

Improve this answer
7
  • @MadHatler Thanks for the response. I have updated the question with further details. Commented Mar 23, 2016 at 10:45
  • And I my answer. Commented Mar 23, 2016 at 10:50
  • Question has been updated with further information and output of the commands. Commented Mar 23, 2016 at 11:05
  • If that output is current, you haven't done what I suggested in this answer. Also, what happens if you provide the password? Commented Mar 23, 2016 at 11:41
  • I added these two lines to end of sudoers file: 'meraj ALL=(root) ALL, !/bin/su meraj ALL=(root) /bin/su tomcat' And still same result. I pasted updated sudo -l out put as well in my origin question. Commented Mar 23, 2016 at 12:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.