SUDO: executing as {any but non-root user} won't work - Security

This is a discussion on SUDO: executing as {any but non-root user} won't work - Security ; Hello, i want one user (menuadmin) to be able to execute some command as ANY user BUT NOT root (and with no password) this is my sudoers: # menuadmin ALL= ( !root ) NOPASSWD: /usr/bin/id # Logged as menuadmin, I ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: SUDO: executing as {any but non-root user} won't work

  1. SUDO: executing as {any but non-root user} won't work

    Hello,
    i want one user (menuadmin) to be able to execute some command as ANY
    user BUT NOT root (and with no password)

    this is my sudoers:
    #
    menuadmin ALL= ( !root ) NOPASSWD: /usr/bin/id
    #

    Logged as menuadmin, I keep being asked for a password when I type:
    sudo -u joe /usr/bin/id

    When i change "!root" to "joe'", everything works as expected.
    the " ! " operator is allowed for users on the sudoers man page though.
    I don't understand. Could someone help me and explain this behaviour ?
    Thanks
    Jerome


  2. Re: SUDO: executing as {any but non-root user} won't work

    Update:I reply to my own message
    it seems that using the following syntax
    (ALL, ! root ) does the trick...


  3. Re: SUDO: executing as {any but non-root user} won't work

    freejazz13@gmail.com wrote:

    > Update:I reply to my own message
    > it seems that using the following syntax
    > (ALL, ! root ) does the trick...


    That being the only correct syntax, yeah.
    One wonders why you would want to prohibit root from sudo-ing anyway - you
    cannot logically prohibit root from doing anything.


    --
    All your bits are belong to us.

  4. Re: SUDO: executing as {any but non-root user} won't work

    You misunderstood (or i explained myself not clearly, sorry)
    I dont want to prohibit root form executing, i want a certain user to
    be able to execute a certain command AS any user, except root (ie thei
    user can not become root while executing the comand)
    J


    Jeroen Geilman wrote:
    > freejazz13@gmail.com wrote:
    >
    > > Update:I reply to my own message
    > > it seems that using the following syntax
    > > (ALL, ! root ) does the trick...

    >
    > That being the only correct syntax, yeah.
    > One wonders why you would want to prohibit root from sudo-ing anyway - you
    > cannot logically prohibit root from doing anything.
    >
    >
    > --
    > All your bits are belong to us.



  5. Re: SUDO: executing as {any but non-root user} won't work

    freejazz13@gmail.com wrote:

    > You misunderstood (or i explained myself not clearly, sorry)
    > I dont want to prohibit root form executing, i want a certain user to
    > be able to execute a certain command AS any user, except root (ie thei
    > user can not become root while executing the comand)


    A-HA!
    Light dawns...

    Sorry, my experience with sudo doesn't go that far.

    --
    All your bits are belong to us.

  6. Re: SUDO: executing as {any but non-root user} won't work

    On 2006-12-07, freejazz13@gmail.com wrote:
    >
    > Jeroen Geilman wrote:
    >> freejazz13@gmail.com wrote:
    >>
    >> > Update:I reply to my own message
    >> > it seems that using the following syntax
    >> > (ALL, ! root ) does the trick...

    >>
    >> That being the only correct syntax, yeah.
    >> One wonders why you would want to prohibit root from sudo-ing anyway - you
    >> cannot logically prohibit root from doing anything.


    [please don't top post]

    > You misunderstood (or i explained myself not clearly, sorry)
    > I dont want to prohibit root form executing, i want a certain user to
    > be able to execute a certain command AS any user, except root (ie thei
    > user can not become root while executing the comand)


    Write a wrapper, e.g.:

    case $1 in
    root) ;;
    *) su - "$1" -c COMMAND ;;
    esac

    ...and give the user the right to execute it in /etc/sudoers.

    --
    Chris F.A. Johnson, author |
    Shell Scripting Recipes: | My code in this post, if any,
    A Problem-Solution Approach | is released under the
    2005, Apress | GNU General Public Licence

+ Reply to Thread