[sudo-users] Disallow User switching in Group
Todd C. Miller
Todd.Miller at sudo.ws
Tue Nov 16 07:34:00 MST 2021
On Tue, 16 Nov 2021 11:19:47 +0100, Patrik Peng wrote:
> Is there any way to match all users in group `%sudo-iolog` but restrict
> the `-u` option to the user calling `sudo` without explicitly writing
> the username in the config?
Yes, there is. The syntax is not obvious but a sudoers rule like:
%sudo-iolog ALL=(:) SETENV: NOPASSWD: LOG_INPUT: LOG_OUTPUT: /bin/bash, /usr/bin/bash, /usr/local/bin/bash
should do the trick. An empty RunasUser will match the invoking
user. An empty set of parentheses should also work. You can verify
this by running "sudo -l" as that user. The output will expand the
empty RunasUser to the user's login name.
- todd
More information about the sudo-users
mailing list