On Wed, May 07, 2014 at 11:17:54AM +0200, Jakub Hrozek wrote: > On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote: > > Hello, > > Is there a proper way in sudo rules to allow any command and exclude only > > some groups? > > Something like: > > %test_group ALL= (ALL) ALL, !SU, !SHELLS > > If I try to do this (gui/cli) I get an error: > > ipa: ERROR: commands cannot be added when command category='all' > > > > Non proper way (bug ?) is to first add deny groups and after that add allow > > all :) > > It should be fixed in this, but it seems to still work > > (freeipa-server-3.3.4-3) > > https://fedorahosted.org/freeipa/ticket/1440 > > > > Thanks > > Szymon > > Hi Szymon, > > freeipa-users might be a good place to ask this question. As you > noticed, plain sudo does support this functionality, but I'm not > completely sure about IPA's UI. The IPA developers would know, I'm sure.
Obviously, I was going to respond to Szymon's same question on sssd-users and missed that he forwarded the question to freeipa-users as well. Sorry for the noise.. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users