[sudo-workers] Supporting sudoUser:!foo in sudo.ldap

Michael Felt michael at felt.demon.nl
Tue Dec 14 10:47:21 MST 2021

If you mean add a ! (not) operator, and that it should apply to any combination of any label now used to construct access control logic - imho, that make perfect sense. Stronger, I would think it was a bug when the others did not work.


-----Original Message-----
From: sudo-workers <sudo-workers-bounces at sudo.ws> On Behalf Of Todd C. Miller
Sent: Tuesday, 14 December 2021 08:56
To: Simon Lees <sflees at suse.de>
Cc: sudo-workers at sudo.ws
Subject: Re: [sudo-workers] Supporting sudoUser:!foo in sudo.ldap

I think this is worth pursuing.  The question I have is whether supporting !username is sufficient.  If we are going to support this kind of construct, it should probably mirror the existing query that contains uid, groups, gids and netgroups.

Does that make sense?

 - todd
sudo-workers mailing list <sudo-workers at sudo.ws> For list information, options, or to unsubscribe, visit:

More information about the sudo-workers mailing list