Re: how do i control sudo from my AD users

Your question is not necessarily related to Centrify but rather who can execute a particular set of binaries on a UNIX system which is controlled by the UNIX file permissions of the binaries.

By default all users have execute rights on the sudo and su binary as shown below. 

[root@engcen6 certs]# ls -l /usr/bin/sudo
---s--x--x. 1 root root 123832 Aug 13  2015 /usr/bin/sudo
[root@engcen6 certs]# ls -l /bin/su
-rwsr-xr-x. 1 root root 34904 Nov 10  2015 /bin/su

You can change the permissions on the binaries to accomplish what you want as shown below:

# chmod 4750 /bin/su
[root@engcen6 certs]# ls -l /bin/su
-rwsr-x---. 1 root root 34904 Nov 10  2015 /bin/su
[root@engcen6 certs]# chmod 4010 /usr/bin/sudo
[root@engcen6 certs]# ls -l /usr/bin/sudo
---S--x---. 1 root root 123832 Aug 13  2015 /usr/bin/sudo

The end result is the following when a "regular" user tries to execute these binaries. 

[dwirth@engcen6 ~]$ su
-bash: /bin/su: Permission denied
[dwirth@engcen6 ~]$ sudo
-bash: /usr/bin/sudo: Permission denied

Regards,