Hello!

Do anyone have idea how to block switching to root if user have full sudo?

One way is in sudoers file block use of "su", but still it`s possible with sudo -i or sudo -s , sudo bash etc.
Other way is create alias on sudoers and permit only specific commands for user.

Any ideas?

From experience of this situation i would in every case advise to create a command alias for a user to only use sudo for those specific commands and add each command as necessary (obviously dont add commands like su,sh,bash,ksh,visudo,passwd). Much better to have a secure server than give full access to a user and firefight in response to his attempts at gaining root.

I don't quite get it: why does the user have "full sudo" (i assume this to mean he can use every command) if he should not be allowed to become root?

If you don't want someone to utilize "full sudo", then just don't give hime "full sudo". If you get into a situation where you have no other choice than to do that you probably have made a serious error in your rights concept long ago. I suggest you reconsider/redo this instead of patching your environment into something which "almost looks like working".

If you bake a cake and you have forgotten the backery improver, you probably end up with a thing of the consistency of a stone. To grind this thing down to powder, add water and the forgotten bakery improver and expecting this to bake to a (tasting) cake is similarly doomed to disenthrall your expectancies. The only way is to start over and do it right this time.

I hope this helps.

bakunin

You cannot prevent root from being root.

If you don't want someone to abuse root, don't give them root.

To control sudo you must edit the suders file. You can also control who can use sudo by only letting users in certain groups use sudo.
To edit sudo you run this command as root.

visudo

Hi,

Thanks for answers.

Full sudo is for server administrators, but sometimes there are some people who don`t understand what they are doing or just making mistakes.
Also other thing is that, root activities are not logged, but sudo activities are logged under /var/log/secure. How to fight against it?

These shouldn't be server administrators at all! Admins should only be a VERY FEW select people who have proven their skill, everything else is just plain dangerous.

This is a no-brainer: start an interactive program as root which allows a shell escape and then do a shell escape - you have a root shell. For instance: "sudo vi", enter ":!sh" and you have a root shell. What one does inside this shell (and even that he opened the shell) is not seen at all in "/var/log/secure". Or one can trim the file after doing something, because root has write access to the log.

It is an old proverbial truth that root can circumvent absolutely any security mechanism as long as it is server-based. The only thing you can do is to log outside of the area of roots control: on another system, where root is not allowed to become root. See the man page of "syslog" for the possibility to do the logging over the network to a remote system.

I hope this helps.

bakunin