How to prevent giving sudo access to developers?
 

I have a group of dev team that keep asking me to be added to sudo users.

I do not want to do it because it is fat too much they need.

They all belong to a (tomcat) group and can do all of they need but when they need to start the application they script if calling sudo and tomcat user.

sudo -u tomcat /and the rest path to start it.

So when they execute the command they are propped about users password that is not in a sudo users group.

The access list does not resolve the issue in this case I suppose.

Could you advise what would be the best way to avoid it?

Not sure if I get this correctly but if your devs "dont listen", you could just override sudo by editing their PATH and replacing sudo with a command that simply discards all arguments and does nothing, but just execute the actual command.

If you cared to peruse sudoers man page, you would've learned that sudo is not a 'gimme root' but fully granular control tools and lets one specify which user may run which command with which credentials.

Indeed. sudo and sudoers are usually misunderstood, misconfigured, and abused. Ask your developers and find out which very specific tools they are really asking for and adjust the configuration to allow that and only that.

I would recommend Michael W Lucas' book, sudo Mastery, to take a deep dive into the capabilities of sudo as a tool for providing granular access. While the book is on order from your college library or via your local bookstore you can hunt down the video of his talk, "sudo: You're Doing It Wrong", to get a rather quick overview of the tool.

Then keep checking the manual page, using the command "man sudoers", as you go through the book. It is one of the more daunting manual pages out there, but is the ultimate reference (besides the source code) as to what the utility can do for you.

I don't understand the requirement.
Perhaps you can give some invocation examples, what is allowed/denied for whom?

And list what you have already:
Perhaps the following examples are helpful.

Allow the members of a group to run certain commands as root without a password:
Exclude the members of a group:
Allow all the others to run ALL commands as ALL users (that's pretty unsafe of course):

with other words: with sudo you can allow start/stop (or any other script) script to run only, nothing else. You just need to take care of that script (so nobody should be able to modify it).

I agree with that and think that Canonical/Ubuntu bear a lot of responsibility for the abuse. The ubuntu.com site at the link below gives Advantages and Disadvantages of always using sudo and reading through the Advantages they are pretty silly reasons and seem to be pandering to the lazy. Number 8 on that list is what sudo is supposed to be used for.

https://help.ubuntu.com/community/RootSudo