[sudo-users] Alias question

jifan sun sunjifan at yahoo.com
Fri Sep 7 10:41:41 EDT 2007


We have several levels of admins at our sites. One requirment thats been requested is that
  the level1 admins only be allowed to sudo to non-root account, and also not be able to sudo to any higher level admin accounts.
   
  I took the example on the webstite.
   
  john           ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
   
  1st modification, works just as expected. i.e. LVL1ADMIN is able to sudo to any user other than root or john.
  LVL1ADMIN       ALL  = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su *root*, !/usr/bin/su john
   
  Level 3 admins are identified as the ADMINS alias.
  LVL1ADMIN       ALL  = /usr/bin/su [-]*, /usr/bin/su *, !/usr/bin/su *root*, !/usr/bin/su *ADMINS*
   
  This doesn't work; I've tried several modifications to the above, however so far I've not been able to determine the exact syntax, if this is even possible to to, without explicitly listing each userid within the ADMINS group with !/usr/bin/su
   
  The reasoning behind the requirement, is that some are concerned that somehow LVL1ADMIN will be able to aquire the privledges of the ADMINS group; I've already demonstrated that this is not really possible, however that doesn't mean they're going to change the requirement.
   
  Thanks in advance!

       
---------------------------------
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.


More information about the sudo-users mailing list