-1

Hello and thanks for helping me in this question. I just have in /ets/sudoers something like this:

# User Aliases
User_Alias CLIENT = jhonny 
CLIENT myserver = ALL. !ADMIN_CMD,!SU

I just want deny to jhonny the capacity to shut down or reboot the machine.

Server is Red Hat 6.6 Santiago.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
erucv
  • 1
  • The [manual](http://www.gratisoft.us/sudo/sudoers.man.html) might seem a bit heavy at first but still has some pretty good examples as well as the default sudoers file that Red hat provides. What have you tried and where are you stuck? – HBruijn Nov 28 '14 at 14:03

1 Answers1

-1

as far as i know, you will need to create a while list of commands available to the user via the sudoers file. a good start will be reviewing the manual: man sudoers

if you allow the user access to the ALL command alias, they can perform a number of work arounds, allowing them to gain access to what you are trying to deny.

if this isn't much of an issue, here is an example i found online (possibly from the man page?)

# From 'man sudoers'
Cmnd_Alias     SU = /usr/bin/su
Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
                                /usr/local/bin/tcsh, /usr/bin/rsh, \
                                /usr/local/bin/zsh

# jill may run any commands in the directory /usr/bin/ except for those
# commands belonging to the SU and SHELLS Cmnd_Aliases.
jill           ALL = /usr/bin/, !SU, !SHELLS

and as user255657 has said, this is with 100% certainty a duplicate.

RapidWebs
  • 571
  • 4
  • 13
  • `and as user255657 has said, this is with 100% certainty a duplicate.` - so why answer it? – AD7six Nov 28 '14 at 16:54
  • if a thread is going to sit open, without an answer, what purpose is it serving? none. and what harm does it do to atleast provide a tid bit of useful information or a simple direction for somebody coming here from a search engine or site search? none – RapidWebs Nov 28 '14 at 17:07
  • the problem with people posting duplicate questions is a real one. it wastes peoples time. but duplicate questions without answers are an even bigger wastes of time and results in even more empty space. in my opinion, creating a problem where there isn't one kills public forums just as quickly and lazy participants – RapidWebs Nov 28 '14 at 17:14
  • 2
    Don't answer it -> flag as a duplicate -> it acts as a signpost. If you want to provide a _better_ answer than those that already exist - answer [the existing question](http://serverfault.com/questions/36759/editing-sudoers-file-to-restrict-a-users-commands). Having answers spread around duplicate questions does not help; it just dilutes information by making it harder to find. – AD7six Nov 28 '14 at 17:20
  • 2
    @AD7six Amen brother! – Michael Hampton Nov 28 '14 at 17:21