Bugzilla – Bug 729
Runas_Alias allows groups but does not work with negation
Last modified: 2016-03-17 10:18:52 MDT
The sudoers documentation says Alias definitions are permitted to use group selection (%group) as well as group negation (!%group). For example: Runas_Alias HUMANS = %employee Runas_Alias MACHINES = ! %employee Whilst sudo accepts both as valid synatx, only the positive group selection is working - the group negation does not work. In my case, I wish to allow all system accounts to run a particular command (eg: to recycle the daemons) but not permit any member of staff to perform that command. I should be able to use the following sudoers config: Runas_Alias MACHINES = ! %employee User_Alias CONTROLLER = master Cmnd_Alias RECYCLE = /usr/bin/recycle_daemon CONTROLLER ALL = (MACHINES) NOPASSWD: RECYCLE Execution should be as follows: sudo -u daemon /usr/bin/recycle_daemon but does not work, even though "daemon" is not in group "employee". I could of course list each and every system account in the Runas_Alias to make a positive selection, but its not practical as I have hundreds of accounts - it's far easier to exclude those groups which cannot run this command.
Negation with the '!' doesn't work that way. It is more accurate to think of it as denying a privilege that has already been granted. To achieve what you want do you do: Runas_Alias MACHINES = ALL, !%employee You need the ALL there since by default sudo grants no privileges.