[sudo-users] What is the opposite of ALL?
Todd C. Miller
Todd.Miller at sudo.ws
Tue Nov 16 15:51:41 MST 2021
On Tue, 16 Nov 2021 11:24:41 -0700, Grant Taylor via sudo-users wrote:
> What is the opposite of ALL in the command list in following rule?
>
> %group ALL = (ALL) ALL
>
> My kneejerk reaction is to use the following.
>
> %group ALL = (ALL) !ALL
>
> But "!ALL" seems ... wrong to me.
You are correct, "!ALL" is what you are looking for even if it looks
a bit "funny".
> Yes, I know the dangers of negation. I'm trying to set a safety net /0
> trap for a legacy group that's no longer being used after a migration to
> a new group.
>
> %oldgroup ALL = (ALL) !ALL
> %newgroup ALL = (ALL) NewGroupCommands
>
> My intention is to cause a hard / fast failure if ID Administration
> inadvertently adds new users to the old group instead of the new group.
That should do what you want. Order is important here since the
last rule wins but I think you understand that.
- todd
More information about the sudo-users
mailing list