Szymon Jazy wrote:
Hello,
Is there a proper way in sudo rules to allow any command and exclude
only some groups?
Something like:
%test_group ALL=    (ALL)       ALL, !SU, !SHELLS
If I try to do this (gui/cli) I get an error:
ipa: ERROR: commands cannot be added when command category='all'


Unfortunately no. I opened https://fedorahosted.org/freeipa/ticket/4340

Non proper way (bug ?) is to first add deny groups and after that add
allow all :)
It should be fixed in this, but it seems to still work
(freeipa-server-3.3.4-3)
https://fedorahosted.org/freeipa/ticket/1440

Right, it was an incomplete fix. I opened https://fedorahosted.org/freeipa/ticket/4341 to address that, though to be coordianted with 4340 so we don't remove your workaround first.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to