I'm trying to devise a new sudoers configuration while building a new SOE and would like to force everyone (including system administrators) to use rootsh in favour of doing things like sudo -s, sudo bash, sudo tcsh and so forth. Effectively, use sudo to use any shell other than rootsh.
Is there a way to allow users to run anything they want except shells.
I've seen this question in different forms on various forums. Each time, the result never seems to be a full answer. I would like to prevent users from being able to sudo to root while maintaining the ability to sudo to other users. As tedious a task as this is I already know I can lock out editing the sudoers file and from running sudo bash|sh|etc.
During an installation, as usual, we create our main user account, and then we can do sudo commands with it without problem.
Now, when I created another account, and I wanted to do sudo, it gave me error that the account is not in the sudoers file. In that file I found out that users in %admin and %sudo groups can gain root privileges.