restricting within command

[Burt Juda]

"julian.rogan" wrote:
> 
> I plan on allowing our helpdesk to change users passwords using sudo as the
> means of allowing this privilege.
> However, as someone just pointed out to me, the helpdesk will also be able to
> change root's password.
> So is there anyway of tightening the privilege in this one respect.

I have the command listed as follows in /etc/sudoers:

	/bin/passwd [a-z]*,!/bin/passwd root,.........

The NOT (!) construction applies the exception needed.

   - Burt