On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote:
> Hello,
> Is there a proper way in sudo rules to allow any command and exclude only
> some groups?
> Something like:
> %test_group ALL=    (ALL)       ALL, !SU, !SHELLS
> If I try to do this (gui/cli) I get an error:
> ipa: ERROR: commands cannot be added when command category='all'
> Non proper way (bug ?) is to first add deny groups and after that add allow
> all :)
> It should be fixed in this, but it seems to still work
> (freeipa-server-3.3.4-3)
> https://fedorahosted.org/freeipa/ticket/1440
> Thanks
> Szymon

Hi Szymon,

freeipa-users might be a good place to ask this question. As you
noticed, plain sudo does support this functionality, but I'm not
completely sure about IPA's UI. The IPA developers would know, I'm sure.

Freeipa-users mailing list

Reply via email to