Hi Marco, On Tue, Aug 04, 2020 at 09:47:24AM +0200, Marco Möller wrote: > Is it possible (how?) to restrict a user to only be allowed to make use of > its sudo usage permission if working at the physical console, not granting > to this user sudo permission when i.e. logged in via ssh?
I was intrigued by this question so I tried to find out how to do it. I was unsuccessful and only got as far as: https://www.sudo.ws/pipermail/sudo-users/2009-April/004015.html Probably the feature has not been added to sudo in the last 11 years either. Perhaps using pam_group.so you could force users on certain ttys into a specific group, and allow that group (only) to use sudo? http://www.linux-pam.org/Linux-PAM-html/sag-pam_group.html I've never done it but the above seems to imply that putting something like: *;tty*;*;*;mysudogroup into /etc/security/group.conf would put any user logging in on tty* into the group "mysudogroup". If you allowed "mysudogroup" to use sudo in /etc/sudoers then maybe that works. I would be interested to know if that is a workable solution. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting