Hello, Is there a proper way in sudo rules to allow any command and exclude only some groups? Something like: %test_group ALL= (ALL) ALL, !SU, !SHELLS If I try to do this (gui/cli) I get an error: ipa: ERROR: commands cannot be added when command category='all'
Non proper way (bug ?) is to first add deny groups and after that add allow all :) It should be fixed in this, but it seems to still work ( freeipa-server-3.3.4-3) https://fedorahosted.org/freeipa/ticket/1440
Thanks Szymon
On 05/07/2014 10:11 AM, Szymon Jazy wrote:
Hello, Is there a proper way in sudo rules to allow any command and exclude only some groups? Something like: %test_group ALL= (ALL) ALL, !SU, !SHELLS If I try to do this (gui/cli) I get an error: ipa: ERROR: commands cannot be added when command category='all'
Non proper way (bug ?) is to first add deny groups and after that add allow all :) It should be fixed in this, but it seems to still work (freeipa-server-3.3.4-3) https://fedorahosted.org/freeipa/ticket/1440
Thanks Szymon
Hi, this is possible in sudo-ldap (except that you have to specify single commands since sudo schema doesn't support command groups), However I am not sure whether it is supported by IPA tools. I suggest you to ask on freeipa-users list [1].
sssd-users@lists.fedorahosted.org
-
Pavel Březina -
Szymon Jazy