stop users from using 'su'

opencrvs · Jan 16, 2024 · 595e1a2 · 595e1a2
1 parent 4a28106
commit 595e1a2
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/infrastructure/server-setup/tasks/users.yml b/infrastructure/server-setup/tasks/users.yml
@@ -4,10 +4,10 @@
     state: '{{ item.state }}'
   with_items: '{{ users }}'
 
-- name: Grant passwordless sudo to the users
+- name: Grant passwordless sudo to the users, but prevent usage of 'su'
   ansible.builtin.lineinfile:
     path: /etc/sudoers.d/{{ item.name }}
-    line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL'
+    line: '{{ item.name }} ALL=(ALL) NOPASSWD:ALL, !/usr/bin/su'
     validate: 'visudo -cf %s'
     create: yes
   become: yes