Stopping sudoer user from changing root password

[ianw1974]

What I'm wanting to do us have an account called "admin", that can do practically everything that root can, except, I don't want them to be able to reset the root account password :P

 

This is what I put in sudoers to make it easy for all commands to be run:

 

admin ALL=(ALL) ALL

 

how can I modify to block from changing the root password? Of course, I still want them to do everything else, and reset other user passwords.

[paul]

admin ALL=(ALL) ALL !/usr/bin/passwd root

[ianw1974]

I tried that, keeps giving me an error when I try to save the file.

[paul]

then I guees work the other way

admin ALL =(ALL) /bin/* (not sure whether you can use wild cards)

[ianw1974]

Actually, it just needed one extra thing:

 

admin ALL=(ALL) ALL, !/usr/bin/passwd root

 

the most important bit being the comma. Now it works :P

[ianw1974]

Oh, and also, don't forget to also add this to the end of the line:

 

, !/usr/sbin/visudo

 

else they'll be able to edit the file and remove what you restricted. Also, any other file editor too.

[neddie]

Eek! But how would you stop them editing another file, and then mv'ing it to replace that one? Or doing a cat or echo and piping the output to that file? I don't think you're really going to be able to lock it down like that :unsure:

[paul]

I'm betting he doesn't have users on his system that think like you and I

[ianw1974]

I probably have, and I've already tied down cat, vi, nano text editors. So even if they copy it away, they can't view it :P

 

I've been trying to use things like:

 

$1 sudoers

 

but unfortunately that doesn't work. So I'm kinda thinking I either have to just give it up and not bother attempting to do it and just have the root account, or try and enable just for commands I think they need.