Ok, thanks.

2014-05-07 15:15 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:

> Szymon Jazy wrote:
>
>> Hello,
>> Is there a proper way in sudo rules to allow any command and exclude
>> only some groups?
>> Something like:
>> %test_group ALL=    (ALL)       ALL, !SU, !SHELLS
>> If I try to do this (gui/cli) I get an error:
>> ipa: ERROR: commands cannot be added when command category='all'
>>
>
> Unfortunately no. I opened https://fedorahosted.org/freeipa/ticket/4340
>
>
>  Non proper way (bug ?) is to first add deny groups and after that add
>> allow all :)
>> It should be fixed in this, but it seems to still work
>> (freeipa-server-3.3.4-3)
>> https://fedorahosted.org/freeipa/ticket/1440
>>
>
> Right, it was an incomplete fix. I opened https://fedorahosted.org/
> freeipa/ticket/4341 to address that, though to be coordianted with 4340
> so we don't remove your workaround first.
>
> rob
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to