I don't need an administrator to change my root password. I don't want any sudo user to execute this command:
sudo passwd $root
I have tried it in the sudoers file using the following command:
%sudo ALL=(ALL) ALL, !/usr/bin/passwd $root
How can I block it?
Best Answer
According to sudoers manual:
This is why your sudoers policy doesn't work.
If you would like to prevent user to gain root permission and change its password, try this procedure:
Assuming your sudoers contains this directive:
Assuming your user name is
foo
, his groups arefoo
andsudo
.groups
command output is:Remove user
foo
fromsudo
group:gpasswd -d foo sudo
after this, userfoo
can not run any command with sudo.Edit sudoers file. Use this command:
Define user
foo
permission, for example:This means that user
foo
may run any commands in the directory/usr/bin/
exceptpasswd
andsu
command. Note: If the userfoo
wants to change his password, can runpasswd
command withoutsudo
.Another example of user
foo
permission:This means that user
foo
may run any commands in the directory/usr/bin/
and is allowed to change anyone’s password except for root on ALL machines.You can define groups of command by define
Cmnd_Aliases
and create "levels of permissions". You can found useful examples in EXAMPLE section of sudoers manual, and here is a useful link about how to use sudoers.