On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote:
> Hello,
> Is there a proper way in sudo rules to allow any command and exclude only
> some groups?
> Something like:
> %test_group ALL=    (ALL)       ALL, !SU, !SHELLS
> If I try to do this (gui/cli) I get an error:
> ipa: ERROR: commands cannot be added when command category='all'
> 
> Non proper way (bug ?) is to first add deny groups and after that add allow
> all :)
> It should be fixed in this, but it seems to still work
> (freeipa-server-3.3.4-3)
> https://fedorahosted.org/freeipa/ticket/1440
> 
> Thanks
> Szymon

Hi Szymon,

freeipa-users might be a good place to ask this question. As you
noticed, plain sudo does support this functionality, but I'm not
completely sure about IPA's UI. The IPA developers would know, I'm sure.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to