require password to SUDO SU

[grafeio]

I need to setup the system so that a password is required to sudo su from the tc user account. This is to stop the default user from messing with the system, but allowing an administrator to come along and sudo su with the password.

I can set the root password and add /etc/shadow and /etc/sudoers to /opt/.filetools.lst
I can even run visudo as root and remove the NOPASSWD: for tc user, however, this prevents the backup running properly. I assume as the back script and probably others use sudo. And of course the wiki does say DON'T modify root or tc entries in sudoers

So how can I have the system require a password in aterm when using sudo su, or just block sudo from being used in aterm altogether and just use su, which does prompt, but without breaking the scripts etc?

[ixbrian]

I don't think there is a really good way to accomplish what you are trying to do.   Tiny Core relies on calls to sudo for quite a bit; run a command like this to see some of the references:

Code: [Select]

find / | egrep -v "^/dev|^/proc|^/sys|/usr/sbin/visudo|/usr/bin/sudoedit|/usr/bin/sudo|/etc/sudoers" | xargs grep sudo

Sudo allows you to exclude commands, so for example you could edit your sudoers file and add something like this:

Code: [Select]

tc     ALL=NOPASSWD: ALL, !/bin/su, !/usr/sbin/visudo, !/usr/bin/passwd, !/usr/sbin/chpasswd
This will grant the user sudo access for everything except the commands listed.   This is not a good solution at all, and there are many ways a user could bypass this, so I wouldn't recommend this.   Read the "Security Notes" section of the sudoers man page for some examples of why this is a bad idea:   http://www.sudo.ws/sudo/sudoers.man.html

Another option would be to find the Tiny Core references to sudo using a command like the one I provided above and specifically grant the user access to these commands in sudo and disallow all others.   This would be time consuming and with the number of commands you would have to allow the user to run it would probably open up ways to gain full root access through sudo still.   

[grafeio]

Thanks for the quick response.
I think removing =NOPASSWD: from the sudoers file entry would be a big mistake, then, and adding exclusions wouldn't be the best option either.

Not sure from here. I've reset the root password and added /etc/shadow to /opt.filetools.lst to back it up anyway. I'll have to worry about locking it down a bit later. It's not a desperate security issue, just to stop 'curious' users messing things up.