0

Long story short, the admins group is used for SSH authentication and for determining sudoers permissions. All members of the admins group should have unlimited sudo access, except for jsmith. jsmith needs to authenticate just like the other members of admins, but should only have sudo permission to run systemctl restart smithscoolapp.

I tried editing sudoers to look like this:

jsmith ALL=systemctl restart smithscoolapp admins ALL=(ALL) ALL

However, jsmith is still able to sudo into commands other than systemctl restart smithscoolapp. Is it possible to set sudoer permissions for a specific member of a group, or should I create a "subadmins" group specifically for this user?

Improve this question

2 Answers 2

Reset to default
1

You need to specify !ALL for the user.

eg I have this configuration:

%wheel ALL=(ALL) ALL sweh ALL=(ALL) !ALL,/bin/ls

My user is in the wheel group. So if I ask for what commands I can run:

$ sudo -l User sweh may run the following commands on test1: (ALL) ALL (ALL) !ALL, /bin/ls

So now I can just run the ls command, but not cat.

$ sudo ls /root anaconda-ks.cfg ks-post.log original-ks.cfg $ sudo cat /etc/shadow Sorry, user sweh is not allowed to execute '/bin/cat /etc/shadow' as root on test1.
Improve this answer
2
  • 2
    You need to make sure the restriction comes after the allowance command. The sudoers manual specifies that the last match made to a user is the one that is used. Commented Mar 11, 2022 at 23:10
  • Yes, definitely, order matters. sudo will go through the rules in order and the last one that matches the command for the calling user will be the one that's applied. Commented Mar 11, 2022 at 23:26
0

I don't believe you can remove permissions in the way that you describe.

You should instead separate out the permissions for ssh and for sudo into two separate groups. Assign all your users to the new ssh group, and add all but jsmith to the sudo group.

Remember that on UNIX/Linux systems, groups are neither hierarchical nor inherited. You must include all chosen users each group.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.