[sudo-users] Alias question
jifan sun
sunjifan at yahoo.com
Fri Sep 7 10:41:41 EDT 2007
We have several levels of admins at our sites. One requirment thats been requested is that
the level1 admins only be allowed to sudo to non-root account, and also not be able to sudo to any higher level admin accounts.
I took the example on the webstite.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1st modification, works just as expected. i.e. LVL1ADMIN is able to sudo to any user other than root or john.
LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su *root*, !/usr/bin/su john
Level 3 admins are identified as the ADMINS alias.
LVL1ADMIN ALL = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su *root*, !/usr/bin/su *ADMINS*
This doesn't work; I've tried several modifications to the above, however so far I've not been able to determine the exact syntax, if this is even possible to to, without explicitly listing each userid within the ADMINS group with !/usr/bin/su
The reasoning behind the requirement, is that some are concerned that somehow LVL1ADMIN will be able to aquire the privledges of the ADMINS group; I've already demonstrated that this is not really possible, however that doesn't mean they're going to change the requirement.
Thanks in advance!
---------------------------------
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
More information about the sudo-users
mailing list