[sudo-users] sudoRunAsUser negation

Michael W. Lucas mwlucas at michaelwlucas.com
Wed Jul 10 13:53:20 MDT 2019


I'm trying to wrap my brain around sudoRunAsUser|Group and negation.

Negation seems to have an obvious use in sudoUser: "allow this group,
except this person."

Why would you use negation in a sudoRunAsUser, though? I mean:

sudoRunAsUser: postgres
sudoRunAsUser: mysql
sudoRunAsUser: !mysql

I read this as "allow running as postgres."

Or is it a way of explicitly rejecting certain access in this
sudoRole, more like:

sudoRunAsUser: !root
sudoRunAsUser: postgres
sudoRunAsUser: mysql

Or something else?

Any enlightenment appreciated.


PS: Yes, this is for the new edition of sudo mastery. I am sadly
limited by not having a multibillion-dollar employer to experiment on,
as I did in the first edition. ;-)

Michael W. Lucas 	https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...

More information about the sudo-users mailing list