restricting within command

Matthew.Hannigan at Matthew.Hannigan at
Fri May 19 05:41:47 EDT 2000

This rule is not restrictive enough
for good security!


There is a philosophical problem underlying this.

You are allowing anything you don't explicitly deny.

You should be denying anything you don't explicitly allow.


bjuda at on 17/05/2000 22:18:06

To:   sudo-users at
cc:    (bcc: Matthew Hannigan/NL/ABNAMRO/NL)
Subject:  Re: restricting within command

"julian.rogan" wrote:
> I plan on allowing our helpdesk to change users passwords using sudo as the
> means of allowing this privilege.
> However, as someone just pointed out to me, the helpdesk will also be able to
> change root's password.
> So is there anyway of tightening the privilege in this one respect.

I have the command listed as follows in /etc/sudoers:

     /bin/passwd [a-z]*,!/bin/passwd root,.........

The NOT (!) construction applies the exception needed.

   - Burt

sudo-users mailing list
sudo-users at

More information about the sudo-users mailing list