On Thu, Dec 10, 2020 at 04:48:36PM +0300, Reco wrote:
I just like to remind you the original question: Is there a way to put an account "beyond use", in any way including su, sudo etc, *In any way* includes the way I've described above IMO.
So you're asking if there's a way to prevent someone from using sudo to do something sudo has been specifically configured to do? Kind of a weird question, IMO. If you don't want to allow someone to sudo to a particular user then...don't configure sudo to allow them to do that.
Also worth pointing out that having a passwd entry isn't even relevant to whether root can setuid. At some point if you've provided enough rope then setting a bunch of artificial constraints for the sake of argument is just a waste of time.
# id
uid=0(root) gid=0(root) groups=0(root)
# id 1234
id: ‘1234’: no such user
# python3 -c 'import os; os.setuid(1234); os.execl("/bin/bash", "bash")'
$ id
uid=1234 gid=0(root) groups=0(root)