-4

I am using rhel7.2 in our envirement.I do not want any user on system to "su" to 2 specific users say "user3 and user4".But "user3 and user4" can "su" to any user in the system.

Let me explain my requirement in detail.Lets say i have 4 users on servers say user1,user2,user3 and user4.

Say i logged in to server with user 1 or user2. " My requirement is that it cannot switch user "su " to user" user 3 and user4".But if i logged in server using "user3" or "user4",I can switch user "su" to user 1 or user2.

In a nutshell

Login as User1 on server> su - user3 -------This should not work

Login as User3 on server> su - user1 --------This should work

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Ankush kalra
  • 79
  • 3
  • 8

2 Answers2

6

I suspect you have not asked the question you want answered. Specifically, I suspect you're asking about how to control access to sudo su foo; but I will answer the question as asked.

To prevent user1 doing su user3, do not give user1 user3's password. It's as simple as that.

If instead you want to control user1's ability to sudo su user3, which is a completely different thing, then do not give them that privilege in sudoers. Praveen P's answer is pretty good on that, though you are on a short highway to failure if you think you can meaningfully grant people rights to sudo everything, then take away a few commands (off the top of my head, I can think of five or so different ways to change root's password in the context of the sudoers file (s)he quotes). Generally, only give people privilege to do the things they need to do.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • 1
    Never use ``sudo su``. You either mean ``sudo -s`` (shell) or ``sudo -i`` (login shell). – allo Dec 26 '17 at 16:15
  • @allo I don't mean that, because I often use `sudo /bin/su - `. Do you have any particular grounds to recommend against it, particularly supported ones? – MadHatter Dec 26 '17 at 16:16
  • Carpal tunnel syndrome, perhaps? I used to do `sudo su -` too, until I discovered `sudo -i` existed. – Michael Hampton Dec 26 '17 at 18:58
  • @MichaelHampton hee hee! Also, Happy Christmas! – MadHatter Dec 26 '17 at 19:09
  • sudo su is like "useless use of cat". It works just fine, but is not required and has (very small) overhead. su as root is just the same as starting the (login) shell, e.g. ``sudo bash``. sudo has commands to explicitely open the users shell, so this is the correct way. – allo Dec 26 '17 at 21:32
  • I think *correct* way is a little presumptuous. As you point out, on systems that have the `-s` and `-i` flags to `sudo`, those will do a reasonable job of duplicating the running environment of the sudo-to user, but they're not the only way to do it. I accept that you prefer them, but if you can't produce valid reasons why they're better, it's good to distinguish between personal preference and best-practice. – MadHatter Dec 26 '17 at 22:08
2

You can use visudo to control user access and what functions can they use as well.

Here's an example 

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL
ubuntu  ALL=/bin/sh,/usr/bin/*,/usr/sbin/*,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,!/usr/bin/su,!/usr/sbin/visudo, /sbin/*, /bin/*

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL, !/usr/bin/passwd root

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

In the above config. User ubuntu has restrictions as well as sudo group also has restrictions.

For instance, ubuntu can do following:

  • Run command in /bin/sh
  • Run any command in /usr/bin/*
  • Run any command in /usr/sbin/*
  • Change password of any users /usr/bin/passwd [A-Za-z]*

But ubuntu cannot do following:

  • Change root password !/usr/bin/passwd root
  • Become superuser !/usr/bin/su
  • Update visudo itself !/usr/sbin/visudo

You can also do this with groups as well. I.E sudo group can do anything but change the root password.

Update

If you really wanna go the extra mile to stop someone accessing another user. I would do this.

  1. Find the next available group ID for new group
    • getent group use this command and find the next biggest number group id available. Normally it's next number after the last user you've added. In my case it is 1002, after my last added users user1:x:1001:.
  2. Then create a new group with the next available ID.
    • In my case I did the following. sudo groupadd -g 1002 restricted
  3. Then update the viduso to add your required restrictions.
    • In my case, I added the following line after the %sudo line.
    • %restricted ALL=(ALL:ALL) ALL, !/usr/bin/su, !/bin/su.
  4. Last add the user to the group.
    • sudo adduser user1 restricted
Prav
  • 129
  • 6
  • Thanks for the reply. Let me refraze my requirement.I want no user on system can "su " to "user3" and "user4" but "user3" and "user4" can "su" to any user present on system. – Ankush kalra Dec 26 '17 at 13:38
  • @Ankushkalra I've updated the post – Prav Dec 26 '17 at 14:30