Sudo allows users to run commands on behalf of vas-denied users (user.deny)
This is normal sudo behaviour, if the user exists, a command can be run on behalf of that user.
Sudo will check if the user exists and if it does, will allow you to run a command as that user (provided your sudoers file allows this action).
However, you can hide the user from NSS, which means that sudo won't be able to see the user, and therefore won't allow an su:
(My denied user is aptly called 'denied' for clarity)
[user@linux1 ~]$ /opt/quest/bin/vastool list user denied
[user@linux1 ~]$ sudo -u denied date
sudo: no passwd entry for denied!
If you wish to add this change you can run the following command to configure it:
# /opt/quest/bin/vastool configure vas nss_vas user-hide-if-denied true
Some details can be found in the vas.conf MAN entry:
user-hide-if-denied = <true | false>
Default value: false
By default, all available users are visible from the standard getpw* and getgr* functions. Setting this option to true will cause nss_vas not to return users if they are denied access according the host access control rules. This virtually hides those users as if they are not available on the system. This option is off by default. If this option is changed, the groups cache must be flushed before denied users will be excluded from membership lists returned from getgr* calls.
Note that this is a global option and will modify the behavior of nss_vas in all processes on the Unix host.
The following example shows how to hide users who are denied access from the getpw* family of functions.
user-hide-if-denied = true