Bugzilla – Bug 14
Can't combine ALL with ! command alias
Last modified: 2001-12-17 20:40:59 MST
All I would like to do is to disallow some command sets from users but allow them to do everything else. Is this not supported or broken? Please let me know, thanks. --------------------------- ENG ENH = (root) ALL, !SYSOPS --------------------------- I need sudo to disallow users to just enter sudo and become root, and then disallow them with the above SYSOPS command alias. I tried the following but I have to maintain SYSCMD alias and it'll be painful. ---------------------------- ENG ENH = (root) SYSCMD, !SYSOPS ---------------------------- Is there some other way around it, or can sudo be changed to support the above requirement. Thanks you for your help. Eric.
That should work, I've been using things like username hostname = ALL, !SU, !SHELLS for years. Beware however, that order is important and sudo will use the last match it gets. The output of "sudo -l" can be useful in debugging things like this. You might try upgrading to the latest sudo (1.6.3p5) though I'm fairly certain that no bugs related to this have been fixed between 1.6.1 and 1.6.3p5.
I am unable to reproduce this problem. However, it does not make sense to do "ALL, !FOO" since it is trivial to work around this by copying the command to another name, writing a program or script that creates a root shell, etc.