1

I want to stop the normal users from using following commands

  1. /bin/bash
  2. /usr/bin/sudo
  3. /bin/su

I added them in sudoers file but normal user can still use the following command This is how i add the entry in Sudoers File

Cmnd_Alias NOTALLOWED = /bin/sh,/bin/bash,/usr/bin/sudo,/bin/su

Only /bin/bash is working otherthan this sudo and su are not working and users are able to switch

Improve this question
5
  • 1
    What do you want? do you unprivillgae root user from a normal user, or do you want to ban user from login?or want to lower privilllage than root? Commented Sep 29, 2013 at 13:10
  • 3
    If you are trying to restrict users from using sudo to run certain commands, it's better to whitelist the commands you want them to be able to run rather than blacklist a handful. There are so many ways to get a shell via sudo if they can run any other command. Commented Sep 29, 2013 at 13:14
  • Only those users who are in the sudoers file will be able to run sudo and you need the user's password to switch users with su. I don't understand what more you need. Commented Sep 29, 2013 at 13:34
  • @terdon, I checked this also but the thing is this that even though if the user is not is the sudoers file and he can run the su command and knows the password he can switch to root and I dont want this to happen. Its always better to secure the system than working hours to rescue it. Commented Sep 29, 2013 at 13:48
  • 2
    Why does your user know the root password in the first place? Securing the system means making sure nobody has the root password. You can also disable the root account completely in which case su will do nothing. If you start with a compromised root account you will never have a secure system. Commented Sep 29, 2013 at 14:08

2 Answers 2

Reset to default
3

Your question is a bit confusing. I think you want to prevent users from running commands as root. If that's what you want:

  • Don't give them the root password. If they already have the root password, change it.
  • Don't allow them to use sudo to run commands as root. Remove them from the suoders file.

Forbidding users from running a few commands such as su and bash while allowing users is completely useless. They'll be able to run any of hundreds of commands that allow running other commands (sh, env, perl, vi, nethack, gcc…). You can't achieve any extra security by blacklisting a few commands. If you don't want users to be allowed to run commands as root, don't allow them to run commands as root: keep them out of the sudoers file, or only allow a carefully chosen set of commands which do not provide a way to run a shell or to overwrite arbitrary files.

It's possible to set up a wheel group such that only users in that group can become root by running su, even if they know the root password. However, this is not really useful since user who know the root password can log in with login. Again, if there are users who know the root password but shouldn't, that's what you need to address.

Improve this answer
0

Since they belong to root with regards to uid and gid, can't you just chmod 750 them?

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.