Naveen surisetty wrote: > I have an sysadmin role, and a profile "user management" assigned to the > role. > > #tail /etc/security/exec_attr > ... > user management:suser:cmd:::/usr/bin/passwd:uid=0 > > I just want to restrict the role "sysadmin" not to change "root" password, > but grant permission for all other users. How do i configure RBAC profile?.
You can't easily do that. The only way it is possible just now is to create a wrapper script around /usr/bin/passwd that checks the username argument isn't on the list of ones you don't want changed. Then put that wrapper script in the RBAC profile and have it run with uid=0 instead of /usr/bin/passwd. -- Darren J Moffat
