Linux – sudo su runs without password prompt


So here's the problem. We've got the /etc/sudoers file set up so that users can run commands from /bin like "cat" or "mkdir" without entering a password.
The problem is that the "su" command is also in /bin, so if they enter "sudo su", it gives them root access without a password.
Here's the /etc/sudoers file:

Defaults targetpw    
%users ALL=(ALL) ALL 

root    ALL=(ALL) ALL

support ALL=(ALL) NOPASSWD: /sbin/, /bin/, /opt/, /etc/init.d/, /elo/
support ALL=(ALL) NOPASSWD: /usr/bin/mysql

Is there a way I can deny /bin/su while still allowing the rest of the /bin commands?

Best Answer

They can mount? Then they have everything to become superuser. There are some other interesting commends, too.

You really want to make /etc/sudoers a white-list, and not a black-list.

With proper file and directory access bits and user/group setings, you should not need sudo in your daily work.

Related Question