• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to disable “sudo su” for users in sudoers configuration file

by admin

This post outlines steps to tighten system security by preventing users with sudo access from gaining superuser privilege by the command:

$ sudo su

The sudo command allows a system administrator to enable a user, or a group of users, to run specific command-line tools with different privileges (such as superuser “root” privilege) knowing only the original user password.

As the sudo command is run, it attempts to find a matching command in its configuration files /etc/sudoers or /etc/sudoers.d/; if a match is found the user is granted privilege to run the command, if not the event is logged and the command is rejected.

The sudo command works by matching the arguments from the command line against each entry in the /etc/sudoers or /etc/sudoers.d/ files. The first match found determines the outcome. Each rule is tested in their order in the /etc/sudoers file. The rule is matched against the beginning of the command. If the rule is shorter than the command, only the matching portion at the beginning of the command is checked; any remainder of the command is not checked. The order of /etc/sudoers rules matters; always put the longer rules before a shorter version.

1. Login as root account into the server.

2. Backup the /etc/sudoers config file.

# cp -p /etc/sudoers /etc/sudoers.ORIG

3. Edit the /etc/sudoers config file.

# visudo -f /etc/sudoers

From:

##Allow orarom user to run any command (enabled for patching from oracle platnum support)
orarom ALL=(ALL) ALL

To:

##Limit the orarom user to run any command (enabled for patching from oracle platnum support), except for sudo su to root
orarom ALL = ALL, !/bin/su

4. Then save the file.

5. Please do the same to other user account in sudo.

Verify

Lets verify if we have disabled the sudo access to user.

$ sudo su -
[sudo] password for orarom:
Sorry, user orarom is not allowed to execute '/bin/su -' as root on testvm01.

Filed Under: CentOS/RHEL 5, CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. check-support-status: command not found
  2. mkinitcpio Command Examples in Linux
  3. dunstify Command Examples in Linux
  4. How to Configure Automatic Package Updates on the Server in CentOS/RHEL 8
  5. kjv Command Examples in Linux
  6. How to Stop “sudo” from Sending Emails on Failures in CentOS/RHEL
  7. CentOS / RHEL 7 : sysctl kernel parameter doesn’t take effect after reboot
  8. shred: command not found
  9. The Ultimate Beginner’s Guide to Static Website Hosting With Google Firebase (for FREE)
  10. ctrlaltdel: command not found

You May Also Like

Primary Sidebar

Recent Posts

  • qm Command Examples in Linux
  • qm wait Command Examples in Linux
  • qm start Command Examples in Linux
  • qm snapshot Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright