[sudo-users] Negation problems

christian.peper at kpn.com christian.peper at kpn.com
Mon Jul 28 08:38:39 EDT 2008

> -----Original Message-----
> From: sudo-users-bounces at courtesan.com 
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Aimon Bustardo
> Sent: Friday, July 25, 2008 12:47 PM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Negation problems
> I am having troubles with getting sudo to properly negate on CentOS 5:
> %spokes  ALL=(ALL) ALL, /usr/bin/su [!-]*, !/usr/bin/su 
> *root*, /usr/bin/vim *[!/etc/sudoers]*
>  From the docs, this should allow everything except the three 
> commands at the end. If I remove the ALL and manually enter 
> items that can be run it works fine. However the moment I 
> enter the ALL it allows everything. 
> The rest of the line is not processed or is ignored.


what if you change the order? I.e. first list the negated cmds, then

In general, creating a sudo rule that allows everything except a few
things is hard to do and prone to clever abuse by knowledgable users.
This is what LDAP is for. So you may consider using an LDAP-enabled sudo
version and storing permissions there.


More information about the sudo-users mailing list