Szymon Jazy wrote:
Hello, Is there a proper way in sudo rules to allow any command and exclude only some groups? Something like: %test_group ALL= (ALL) ALL, !SU, !SHELLS If I try to do this (gui/cli) I get an error: ipa: ERROR: commands cannot be added when command category='all'
Unfortunately no. I opened https://fedorahosted.org/freeipa/ticket/4340
Non proper way (bug ?) is to first add deny groups and after that add allow all :) It should be fixed in this, but it seems to still work (freeipa-server-3.3.4-3) https://fedorahosted.org/freeipa/ticket/1440
Right, it was an incomplete fix. I opened https://fedorahosted.org/freeipa/ticket/4341 to address that, though to be coordianted with 4340 so we don't remove your workaround first.
rob _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users