Recipe 5.14 Restricting root's Abilities via sudo

5.14.1 Problem

You want to let a user run all commands as root except for specific exceptions, such as su.

5.14.2 Solution

Don't.

Instead, list all the permissible commands explicitly in /etc/sudoers. Don't try the reverse—letting the user run all commands as root "except these few"—which is prohibitively difficult to do securely.

5.14.3 Discussion

It's tempting to try excluding dangerous commands with the "!" syntax:

/etc/sudoers:
smith  ALL = (root) !/usr/bin/su ...

but this technique is fraught with problems. A savvy user can easily get around it by renaming the forbidden executables:

smith$ ln -s /usr/bin/su gimmeroot
smith$ sudo gimmeroot

Instead, we recommend listing all acceptable commands individually, making sure that none have shell escapes.

5.14.4 See Also

sudo(8), sudoers(5).