|
Bugzilla – Full Text Bug Listing |
| Summary: | Runas_Alias allows groups but does not work with negation | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | cartmanltd |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | ||
| Priority: | low | ||
| Version: | 1.8.15 | ||
| Hardware: | IBM | ||
| OS: | AIX | ||
Negation with the '!' doesn't work that way. It is more accurate to think of it as denying a privilege that has already been granted. To achieve what you want do you do: Runas_Alias MACHINES = ALL, !%employee You need the ALL there since by default sudo grants no privileges. |
The sudoers documentation says Alias definitions are permitted to use group selection (%group) as well as group negation (!%group). For example: Runas_Alias HUMANS = %employee Runas_Alias MACHINES = ! %employee Whilst sudo accepts both as valid synatx, only the positive group selection is working - the group negation does not work. In my case, I wish to allow all system accounts to run a particular command (eg: to recycle the daemons) but not permit any member of staff to perform that command. I should be able to use the following sudoers config: Runas_Alias MACHINES = ! %employee User_Alias CONTROLLER = master Cmnd_Alias RECYCLE = /usr/bin/recycle_daemon CONTROLLER ALL = (MACHINES) NOPASSWD: RECYCLE Execution should be as follows: sudo -u daemon /usr/bin/recycle_daemon but does not work, even though "daemon" is not in group "employee". I could of course list each and every system account in the Runas_Alias to make a positive selection, but its not practical as I have hundreds of accounts - it's far easier to exclude those groups which cannot run this command.