Quoting Jim Crumley <crumley at belka.space.umn.edu>: > On Tue, Feb 05, 2008 at 08:04:29PM +0000, Josh Welch wrote: >> Note that the proper approach here would be to simply disallow doing a >> sudo to su if you're on a multi-user system where such things matter. >> One of the nice things about sudo is that you can specify with a fair >> degree of granularity what users are allowed to issue what commands as >> the superuser. > > The problem with the blacklist route of dealing with sudo, is > that there are often holes. Many programs allow you to run shell > commands (vi, emacs, etc.), so you really need to restrict their > usage as well, if you are going to go this route. > I misspoke. As I noted to someone else, possibly in private mail, he proper way to give sudo access is to give only specific access, which would in effect disallow `sudo su` as well as everything else not explicitly allowed. Can't get anything by you people. ;) Josh W