Sudoers blacklist

sudosudoedit

We need to add few users to the sudoers file on Linux. They should be able to to anything root can except the following:

Should not modify, read, delete /nfsshare/config
Should not modify, read, delete /etc/passwd
Should not mount anything
Should not change root password
Should not edit /etc/sudoers or run visudo to add other users

Is this possible?

Best Answer

I am, basically, in agreement with Wissam Al-Roujoulah on this.

We need to add few users to the sudoers file

Do you, really need to do this? Maybe there are other ways, using acl or regular UNIX permissions.

As Wissam Al-Roujoulah has already pointed out, trying to "blacklist" certain commands, is in reality a really bad idea (read below from man sudoers, emphasis mine):

Note, however, that using a ‘!’ in conjunction with the built-in
 ALL alias to allow a user to run “all but a few” commands rarely
 works as intended

Instead you can specify a "whitelist", e.g. the actual commands the users are allowed to run. Something like this:

user1 ALL=/sbin/shutdown

The above will allow user1 to shut down. You can add more commands in a comma separated list.

Best Answer

Related Solutions

How to restore to permissions to sudoers file with no password

Related Question