SUDO: executing as {any but non-root user} won't work
This is a discussion on SUDO: executing as {any but non-root user} won't work within the Linux Security forums, part of the System Security and Security Related category; Hello, i want one user (menuadmin) to be able to execute some command as ANY user BUT NOT root (and ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-06-2006
|
|||
|
|||
SUDO: executing as {any but non-root user} won't work
Hello,
i want one user (menuadmin) to be able to execute some command as ANY user BUT NOT root (and with no password) this is my sudoers: # menuadmin ALL= ( !root ) NOPASSWD: /usr/bin/id # Logged as menuadmin, I keep being asked for a password when I type: sudo -u joe /usr/bin/id When i change "!root" to "joe'", everything works as expected. the " ! " operator is allowed for users on the sudoers man page though. I don't understand. Could someone help me and explain this behaviour ? Thanks Jerome 
|
|
12-07-2006
|
|||
|
|||
|
Re: SUDO: executing as {any but non-root user} won't work
freejazz13@gmail.com wrote:
> Update:I reply to my own message > it seems that using the following syntax > (ALL, ! root ) does the trick... That being the only correct syntax, yeah. One wonders why you would want to prohibit root from sudo-ing anyway - you cannot logically prohibit root from doing anything. -- All your bits are belong to us.
|
|
12-07-2006
|
|||
|
|||
|
Re: SUDO: executing as {any but non-root user} won't work
You misunderstood (or i explained myself not clearly, sorry)
I dont want to prohibit root form executing, i want a certain user to be able to execute a certain command AS any user, except root (ie thei user can not become root while executing the comand) J Jeroen Geilman wrote: > freejazz13@gmail.com wrote: > > > Update:I reply to my own message > > it seems that using the following syntax > > (ALL, ! root ) does the trick... > > That being the only correct syntax, yeah. > One wonders why you would want to prohibit root from sudo-ing anyway - you > cannot logically prohibit root from doing anything. > > > -- > All your bits are belong to us.
|
|
12-07-2006
|
|||
|
|||
|
Re: SUDO: executing as {any but non-root user} won't work
freejazz13@gmail.com wrote:
> You misunderstood (or i explained myself not clearly, sorry) > I dont want to prohibit root form executing, i want a certain user to > be able to execute a certain command AS any user, except root (ie thei > user can not become root while executing the comand) A-HA! Light dawns... Sorry, my experience with sudo doesn't go that far. -- All your bits are belong to us.
|
|
12-07-2006
|
|||
|
|||
|
Re: SUDO: executing as {any but non-root user} won't work
On 2006-12-07, freejazz13@gmail.com wrote:
> > Jeroen Geilman wrote: >> freejazz13@gmail.com wrote: >> >> > Update:I reply to my own message >> > it seems that using the following syntax >> > (ALL, ! root ) does the trick... >> >> That being the only correct syntax, yeah. >> One wonders why you would want to prohibit root from sudo-ing anyway - you >> cannot logically prohibit root from doing anything. [please don't top post] > You misunderstood (or i explained myself not clearly, sorry) > I dont want to prohibit root form executing, i want a certain user to > be able to execute a certain command AS any user, except root (ie thei > user can not become root while executing the comand) Write a wrapper, e.g.: case $1 in root) ;; *) su - "$1" -c COMMAND ;; esac ...and give the user the right to execute it in /etc/sudoers. -- Chris F.A. Johnson, author | <http://cfaj.freeshell.org> Shell Scripting Recipes: | My code in this post, if any, A Problem-Solution Approach | is released under the 2005, Apress | GNU General Public Licence
|
Linear Mode
