Hi,
I'm configuring ssh 1.5.9 on HP-UX 10.20, and I'm attempting to restrict root shells
for the non-UNIX techies while still allowing them to su to other users. I've set up
the following:
##
# User alias specification
##
User_Alias OTHER_SYSADS=usera,userb
User_Alias UNIX_SYSADS=self
...
##
# Command alias specification
##
Cmnd_Alias SHELLS=/usr/bin/sh,/sbin/sh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/p
osix/sh,/usr/bin/keysh,/usr/old/bin/sh,/usr/bin/rsh,/usr/bin/rksh
Cmnd_Alias SUPER_USER=/usr/bin/su *root*,/usr/bin/su [!-]*,/bin/su *root*,/bin/su
[!-]*
Cmnd_Alias PASSWORD=/bin/passwd root
Cmnd_Alias VISUDO=/usr/local/sbin/visudo
...
##
# User specification
##
# UNIX sysadmins can run anything without a password
UNIX_SYSADS ALL=NOPASSWD:ALL
# Other sysadmins can run most things but can't su to root, run root shells, or
# edit sudoers, the sudo log, or syslog.conf.
OTHER_SYSADS ALL=NOPASSWD:ALL,!SHELLS,!SUPER_USER,!VISUDO,!PASSWORD,!SUDO_LOG
,!SYSLOG_CONF
This configuration doesn't work quite as planned. The problem is that I can't figure
out how to allow the other admins to su to other users except root. I know the sample
sudoers file that comes with the sudo package shows the following lijnes to restrict
root access:
# somedude may su to anyone but root and flags are not allowed
somedude ALL=/usr/bin/su [!-]*, !/usr/bin/su *root*
However, this seems to still allow root access if somedude simply types "sudo su -".
Can anyone help?
Thanks,
-Dave
