On Thu 10 Dec 2020 at 16:48:36 (+0300), Reco wrote: > On Thu, Dec 10, 2020 at 03:36:47PM +0200, Andrei POPESCU wrote: > > At least on Debian sudo has to be explicitly configured to allow a > > regular user to use '-u' with another user name. We can only assume the > > admin had good reasons to that, possibly on purpose (see below). > > You're correct here, one has to explicitly allow such activity in > sudoers in Debian and just about any OS I've encountered these years > (assuming it has sudo, of course). > > I just like to remind you the original question: > > Is there a way to put an account "beyond use", in any way including su, > sudo etc, > > *In any way* includes the way I've described above IMO.
The original question was almost a textbook example of the X Y problem. The opening statement says "you'll inevitably end up with situations where users are created on some of the machines only for the purpose of keeping the IDs in synch", and that's wrong. So why try to solve it. Fortunately, this statement reveals X (which would be unreported in a true textbook example). Your reminder of the "original question" just quotes part of Mark's attempted solution to problem Y, namely creating an account that's barred. The answer to the real "original question" is to avoid creating those accounts at all—then there's no need to bar them. Cheers, David.
