Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SUDO: executing as {any but non-root user} won't work

2 views
Skip to first unread message

freej...@gmail.com

unread,
Dec 6, 2006, 4:29:00 PM12/6/06
to
Hello,
i want one user (menuadmin) to be able to execute some command as ANY
user BUT NOT root (and with no password)

this is my sudoers:
#
menuadmin ALL= ( !root ) NOPASSWD: /usr/bin/id
#

Logged as menuadmin, I keep being asked for a password when I type:
sudo -u joe /usr/bin/id

When i change "!root" to "joe'", everything works as expected.
the " ! " operator is allowed for users on the sudoers man page though.
I don't understand. Could someone help me and explain this behaviour ?
Thanks
Jerome

freej...@gmail.com

unread,
Dec 6, 2006, 5:07:34 PM12/6/06
to
Update:I reply to my own message
it seems that using the following syntax
(ALL, ! root ) does the trick...

Jeroen Geilman

unread,
Dec 6, 2006, 7:54:00 PM12/6/06
to
freej...@gmail.com wrote:

That being the only correct syntax, yeah.
One wonders why you would want to prohibit root from sudo-ing anyway - you
cannot logically prohibit root from doing anything.


--
All your bits are belong to us.

freej...@gmail.com

unread,
Dec 7, 2006, 5:25:23 AM12/7/06
to
You misunderstood (or i explained myself not clearly, sorry)
I dont want to prohibit root form executing, i want a certain user to
be able to execute a certain command AS any user, except root (ie thei
user can not become root while executing the comand)
J

Jeroen Geilman

unread,
Dec 7, 2006, 1:50:45 PM12/7/06
to
freej...@gmail.com wrote:

> You misunderstood (or i explained myself not clearly, sorry)
> I dont want to prohibit root form executing, i want a certain user to
> be able to execute a certain command AS any user, except root (ie thei
> user can not become root while executing the comand)

A-HA!
Light dawns...

Sorry, my experience with sudo doesn't go that far.

Chris F.A. Johnson

unread,
Dec 7, 2006, 4:08:08 PM12/7/06
to
On 2006-12-07, freej...@gmail.com wrote:
>
> Jeroen Geilman wrote:
>> freej...@gmail.com wrote:
>>
>> > Update:I reply to my own message
>> > it seems that using the following syntax
>> > (ALL, ! root ) does the trick...
>>
>> That being the only correct syntax, yeah.
>> One wonders why you would want to prohibit root from sudo-ing anyway - you
>> cannot logically prohibit root from doing anything.

[please don't top post]

> You misunderstood (or i explained myself not clearly, sorry)
> I dont want to prohibit root form executing, i want a certain user to
> be able to execute a certain command AS any user, except root (ie thei
> user can not become root while executing the comand)

Write a wrapper, e.g.:

case $1 in
root) ;;
*) su - "$1" -c COMMAND ;;
esac

...and give the user the right to execute it in /etc/sudoers.

--
Chris F.A. Johnson, author | <http://cfaj.freeshell.org>
Shell Scripting Recipes: | My code in this post, if any,
A Problem-Solution Approach | is released under the
2005, Apress | GNU General Public Licence

0 new messages