[sudo-users] Negation problems
Aimon Bustardo
abustardo at mor.ph
Mon Jul 28 17:57:38 EDT 2008
christian.peper at kpn.com wrote:
>> -----Original Message-----
>> From: sudo-users-bounces at courtesan.com
>> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Aimon Bustardo
>> Sent: Friday, July 25, 2008 12:47 PM
>> To: sudo-users at sudo.ws
>> Subject: [sudo-users] Negation problems
>>
>> I am having troubles with getting sudo to properly negate on CentOS 5:
>>
>> %spokes ALL=(ALL) ALL, /usr/bin/su [!-]*, !/usr/bin/su
>> *root*, /usr/bin/vim *[!/etc/sudoers]*
>>
>> From the docs, this should allow everything except the three
>> commands at the end. If I remove the ALL and manually enter
>> items that can be run it works fine. However the moment I
>> enter the ALL it allows everything.
>> The rest of the line is not processed or is ignored.
>>
>
> Aimon,
>
> what if you change the order? I.e. first list the negated cmds, then
> ALL.
>
I tried that with same result.
> In general, creating a sudo rule that allows everything except a few
> things is hard to do and prone to clever abuse by knowledgable users.
> This is what LDAP is for. So you may consider using an LDAP-enabled sudo
> version and storing permissions there.
>
Thanks for this tip. I will look into this as we already use LDAP for
many other things.
I am still quite curious though why this is not working the way the man
pages and docs say.... Any cluse anyone can give would be appreciated.
Aimon
> Chris.
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
--
Aimon Bustardo
Senior IT Architect
Morph Labs
Cell: +1 310 625 0608
Office: +1 310 437 4898
More information about the sudo-users
mailing list