• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to disable “sudo su” for users in sudoers configuration file

By admin

This post outlines steps to tighten system security by preventing users with sudo access from gaining superuser privilege by the command:

$ sudo su

The sudo command allows a system administrator to enable a user, or a group of users, to run specific command-line tools with different privileges (such as superuser “root” privilege) knowing only the original user password.

As the sudo command is run, it attempts to find a matching command in its configuration files /etc/sudoers or /etc/sudoers.d/; if a match is found the user is granted privilege to run the command, if not the event is logged and the command is rejected.

The sudo command works by matching the arguments from the command line against each entry in the /etc/sudoers or /etc/sudoers.d/ files. The first match found determines the outcome. Each rule is tested in their order in the /etc/sudoers file. The rule is matched against the beginning of the command. If the rule is shorter than the command, only the matching portion at the beginning of the command is checked; any remainder of the command is not checked. The order of /etc/sudoers rules matters; always put the longer rules before a shorter version.

1. Login as root account into the server.

2. Backup the /etc/sudoers config file.

# cp -p /etc/sudoers /etc/sudoers.ORIG

3. Edit the /etc/sudoers config file.

# visudo -f /etc/sudoers

From:

##Allow orarom user to run any command (enabled for patching from oracle platnum support)
orarom ALL=(ALL) ALL

To:

##Limit the orarom user to run any command (enabled for patching from oracle platnum support), except for sudo su to root
orarom ALL = ALL, !/bin/su

4. Then save the file.

5. Please do the same to other user account in sudo.

Verify

Lets verify if we have disabled the sudo access to user.

$ sudo su -
[sudo] password for orarom:
Sorry, user orarom is not allowed to execute '/bin/su -' as root on testvm01.

Filed Under: CentOS/RHEL 5, CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How To Setup mutt in CentOS/RHEL
  2. How to Start NTP Service With Slewing Enabled in Linux
  3. Beginner’s Guide to LVM (Logical Volume Management)
  4. How to Transfer a File In Passive Mode by FTP
  5. CentOS / RHEL 7 : Understanding Kexec and Kdump
  6. CentOS / RHEL : How to collect sosreport
  7. CentOS / RHEL 7 : How to configure VLAN Tagging using nmcli
  8. Extend volume on non-partitioned disk (XFS) under VMware guest
  9. How to configure iSCSI Initiator (client) in CentOS / RHEL 7
  10. RPM : package installation Error : cpio: read failed

You May Also Like

Primary Sidebar

Recent Posts

  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • How to Capture More Logs in /var/log/dmesg for CentOS/RHEL
  • Unable to Start RDMA Services on CentOS/RHEL 7
  • How to rename a KVM VM with virsh
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary