[Freeipa-users] sudorules - allow all and exclude some
Szymon Jazy
szymon.jazy at gmail.com
Wed May 7 13:17:41 UTC 2014
Ok, thanks.
2014-05-07 15:15 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
> Szymon Jazy wrote:
>
>> Hello,
>> Is there a proper way in sudo rules to allow any command and exclude
>> only some groups?
>> Something like:
>> %test_group ALL= (ALL) ALL, !SU, !SHELLS
>> If I try to do this (gui/cli) I get an error:
>> ipa: ERROR: commands cannot be added when command category='all'
>>
>
> Unfortunately no. I opened https://fedorahosted.org/freeipa/ticket/4340
>
>
> Non proper way (bug ?) is to first add deny groups and after that add
>> allow all :)
>> It should be fixed in this, but it seems to still work
>> (freeipa-server-3.3.4-3)
>> https://fedorahosted.org/freeipa/ticket/1440
>>
>
> Right, it was an incomplete fix. I opened https://fedorahosted.org/
> freeipa/ticket/4341 to address that, though to be coordianted with 4340
> so we don't remove your workaround first.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140507/0605d553/attachment.htm>
More information about the Freeipa-users
mailing list