> A user with sudoer privileges is able to get root using "sudo su -". I > find this extremely irritating. I prefer to keep access to root limited > number of administrators in my organisation, but the applications > running on the system require the application owners to be able to run > root only commands. It seems this be a global behavior, I have seen it > on RHEL, Fedora and AIX5.3. > Is there a way to force the system to request for the root password? Or > restrict 'sudo' users from using 'su'? Do not give it all then try to deny certain commands. Any reasonably smart use can defeat that. Start with nothing and allow only what is necessary. An example: User_Alias WEBADMINS = fbar,jblow Cmnd_Alias SERVICE = /sbin/service Cmnd_Alias WEBME = /bin/su [-] wwwadmin Cmnd_Alias KILL = /bin/kill Cmnd_Alias GUNZIP = /bin/gunzip Cmnd_Alias GREP = /bin/grep Cmnd_Alias LESS = /usr/bin/less Host_Alias DMZ = web1,web2,app1,app2 WEBADMINS DMZ = WEBME,SERVICE,KILL,LESS,GREP,GUNZIP,(wwwadmin)ALL -- Stephen -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjecthttps://www.redhat.com/mailman/listinfo/redhat-list
