[Freeipa-users] sudorules - allow all and exclude some
Rob Crittenden
rcritten at redhat.com
Wed May 7 13:15:24 UTC 2014
Szymon Jazy wrote:
> Hello,
> Is there a proper way in sudo rules to allow any command and exclude
> only some groups?
> Something like:
> %test_group ALL= (ALL) ALL, !SU, !SHELLS
> If I try to do this (gui/cli) I get an error:
> ipa: ERROR: commands cannot be added when command category='all'
Unfortunately no. I opened https://fedorahosted.org/freeipa/ticket/4340
> Non proper way (bug ?) is to first add deny groups and after that add
> allow all :)
> It should be fixed in this, but it seems to still work
> (freeipa-server-3.3.4-3)
> https://fedorahosted.org/freeipa/ticket/1440
Right, it was an incomplete fix. I opened
https://fedorahosted.org/freeipa/ticket/4341 to address that, though to
be coordianted with 4340 so we don't remove your workaround first.
rob
More information about the Freeipa-users
mailing list