ianw1974 Posted July 6, 2006 Share Posted July 6, 2006 What I'm wanting to do us have an account called "admin", that can do practically everything that root can, except, I don't want them to be able to reset the root account password :P This is what I put in sudoers to make it easy for all commands to be run: admin ALL=(ALL) ALL how can I modify to block from changing the root password? Of course, I still want them to do everything else, and reset other user passwords. Link to comment Share on other sites More sharing options...
paul Posted July 6, 2006 Share Posted July 6, 2006 admin ALL=(ALL) ALL !/usr/bin/passwd root Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Share Posted July 6, 2006 I tried that, keeps giving me an error when I try to save the file. Link to comment Share on other sites More sharing options...
paul Posted July 6, 2006 Share Posted July 6, 2006 then I guees work the other way admin ALL =(ALL) /bin/* (not sure whether you can use wild cards) Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Share Posted July 6, 2006 Actually, it just needed one extra thing: admin ALL=(ALL) ALL, !/usr/bin/passwd root the most important bit being the comma. Now it works :P Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Share Posted July 6, 2006 Oh, and also, don't forget to also add this to the end of the line: , !/usr/sbin/visudo else they'll be able to edit the file and remove what you restricted. Also, any other file editor too. Link to comment Share on other sites More sharing options...
neddie Posted July 6, 2006 Share Posted July 6, 2006 Eek! But how would you stop them editing another file, and then mv'ing it to replace that one? Or doing a cat or echo and piping the output to that file? I don't think you're really going to be able to lock it down like that :unsure: Link to comment Share on other sites More sharing options...
paul Posted July 6, 2006 Share Posted July 6, 2006 I'm betting he doesn't have users on his system that think like you and I Link to comment Share on other sites More sharing options...
ianw1974 Posted July 6, 2006 Author Share Posted July 6, 2006 I probably have, and I've already tied down cat, vi, nano text editors. So even if they copy it away, they can't view it :P I've been trying to use things like: $1 sudoers but unfortunately that doesn't work. So I'm kinda thinking I either have to just give it up and not bother attempting to do it and just have the root account, or try and enable just for commands I think they need. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now