[Freeipa-users] sudorules - allow all and exclude some
Jakub Hrozek
jhrozek at redhat.com
Wed May 7 09:24:25 UTC 2014
On Wed, May 07, 2014 at 11:17:54AM +0200, Jakub Hrozek wrote:
> On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote:
> > Hello,
> > Is there a proper way in sudo rules to allow any command and exclude only
> > some groups?
> > Something like:
> > %test_group ALL= (ALL) ALL, !SU, !SHELLS
> > If I try to do this (gui/cli) I get an error:
> > ipa: ERROR: commands cannot be added when command category='all'
> >
> > Non proper way (bug ?) is to first add deny groups and after that add allow
> > all :)
> > It should be fixed in this, but it seems to still work
> > (freeipa-server-3.3.4-3)
> > https://fedorahosted.org/freeipa/ticket/1440
> >
> > Thanks
> > Szymon
>
> Hi Szymon,
>
> freeipa-users might be a good place to ask this question. As you
> noticed, plain sudo does support this functionality, but I'm not
> completely sure about IPA's UI. The IPA developers would know, I'm sure.
Obviously, I was going to respond to Szymon's same question on
sssd-users and missed that he forwarded the question to freeipa-users as
well. Sorry for the noise..
More information about the Freeipa-users
mailing list