[sudo-users] Negation problems
christian.peper at kpn.com
christian.peper at kpn.com
Mon Jul 28 08:38:39 EDT 2008
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Aimon Bustardo
> Sent: Friday, July 25, 2008 12:47 PM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Negation problems
>
> I am having troubles with getting sudo to properly negate on CentOS 5:
>
> %spokes ALL=(ALL) ALL, /usr/bin/su [!-]*, !/usr/bin/su
> *root*, /usr/bin/vim *[!/etc/sudoers]*
>
> From the docs, this should allow everything except the three
> commands at the end. If I remove the ALL and manually enter
> items that can be run it works fine. However the moment I
> enter the ALL it allows everything.
> The rest of the line is not processed or is ignored.
Aimon,
what if you change the order? I.e. first list the negated cmds, then
ALL.
In general, creating a sudo rule that allows everything except a few
things is hard to do and prone to clever abuse by knowledgable users.
This is what LDAP is for. So you may consider using an LDAP-enabled sudo
version and storing permissions there.
Chris.
More information about the sudo-users
mailing list