[sudo-users] Deny all command on /var/log/sudolog
Jordi Espasa Clofent
jespasac at minibofh.org
Wed Aug 5 03:49:47 EDT 2009
Hi list,
I've a LDAP+sudo working like a charm. The sudo configuration of Ivan
user is:
# sudo -l
Password:
User ivan may run the following commands on this host:
LDAP Role: hosting_sat
Commands:
!/usr/bin/su
/usr/bin*
/usr/sbin/vipw
/usr/sbin/chown
/usr/sbin/pkg_info
/sbin/ipfw
/usr/local/bin*
/usr/local/sbin/apachectl
/usr/sbin/rmuser
!/bin/csh
!/bin/tcsh
/usr/local/etc/rc.d/apache2
/usr/local/etc/rc.d/pure-ftpd
/usr/local/sbin/pure-ftpwho
/usr/local/sbin/postcat
/usr/local/etc/rc.d/postfix
!/bin/su
/sbin/ifconfig
/usr/sbin/apache2ctl
I want to deny all possible operation on /var/log/sudolog. I've tried
(withou success) the next combination/syntax:
!ALL /var/log/sudolog
* /var/log/sudo/log
Even I've tried to modify the
/usr/bin*
for
/usr/bin* !/var/log/sudolog
¿How to do it?
--
Thanks,
Jordi Espasa Clofent
More information about the sudo-users
mailing list