[sudo-users] LDAP defaults for commands

Todd C. Miller Todd.Miller at sudo.ws
Thu Dec 7 17:33:11 MST 2017

Another way to achieve this is to use a sudoRole object that contains
the commands for which you wish to disable execute and give it a
large value sudoOrder attribute.  You still have to assign users
to the sudoRole but the more restrictive role will be the one to
match.  For example, something like the following will override
rules with a lower sudoOrder (which defaults to 0).

dn: cn=pagers,ou=SUDOers,dc=sudo,dc=ws
objectClass: top
objectClass: sudoRole
cn: pagers
sudoUser: millert
sudoRunAsUser: ALL
sudoRunAsGroup: ALL
sudoHost: ALL
sudoCommand: /usr/bin/less
sudoCommand: /usr/bin/more
sudoCommand: /usr/bin/pg
sudoOption: noexec
sudoOrder: 1000

More information about the sudo-users mailing list