On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote: > Hello, > Is there a proper way in sudo rules to allow any command and exclude only > some groups? > Something like: > %test_group ALL= (ALL) ALL, !SU, !SHELLS > If I try to do this (gui/cli) I get an error: > ipa: ERROR: commands cannot be added when command category='all' > > Non proper way (bug ?) is to first add deny groups and after that add allow > all :) > It should be fixed in this, but it seems to still work > (freeipa-server-3.3.4-3) > https://fedorahosted.org/freeipa/ticket/1440 > > Thanks > Szymon
Hi Szymon, freeipa-users might be a good place to ask this question. As you noticed, plain sudo does support this functionality, but I'm not completely sure about IPA's UI. The IPA developers would know, I'm sure. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
