[sudo-users] Negation problems

Aimon Bustardo abustardo at mor.ph
Mon Jul 28 17:57:38 EDT 2008

christian.peper at kpn.com wrote:
>> -----Original Message-----
>> From: sudo-users-bounces at courtesan.com 
>> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Aimon Bustardo
>> Sent: Friday, July 25, 2008 12:47 PM
>> To: sudo-users at sudo.ws
>> Subject: [sudo-users] Negation problems
>> I am having troubles with getting sudo to properly negate on CentOS 5:
>> %spokes  ALL=(ALL) ALL, /usr/bin/su [!-]*, !/usr/bin/su 
>> *root*, /usr/bin/vim *[!/etc/sudoers]*
>>  From the docs, this should allow everything except the three 
>> commands at the end. If I remove the ALL and manually enter 
>> items that can be run it works fine. However the moment I 
>> enter the ALL it allows everything. 
>> The rest of the line is not processed or is ignored.
> Aimon,
> what if you change the order? I.e. first list the negated cmds, then
> ALL.
I tried that with same result.
> In general, creating a sudo rule that allows everything except a few
> things is hard to do and prone to clever abuse by knowledgable users.
> This is what LDAP is for. So you may consider using an LDAP-enabled sudo
> version and storing permissions there.
Thanks for this tip. I will look into this as we already use LDAP for 
many other things.

I am still quite curious though why this is not working the way the man 
pages and docs say.... Any cluse anyone can give would be appreciated.

> Chris.
> ____________________________________________________________ 
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

Aimon Bustardo
Senior IT Architect
Morph Labs
Cell:  +1 310 625 0608
Office: +1 310 437 4898


More information about the sudo-users mailing list