Hi all,
I'm trying to setup my sudoer file at work to have the right security, but I'm not able to refine to the level I want.
Here's what I would like to have:
=> OS Users
- John (group staff)
- Bob (group staff)
- app20adm (group app20grp)
- app70adm (group app70grp)
- sys20adm (group app20grp)
- sys70adm (group app70grp)
=> OS Groups
- staff
- app20grp
- app70grp
I would like to have John run all sudo commands as sys20adm and sys70adm, including 'sudo -i'. Files should have permission of sys20adm:app20grp or sys70adm:app70grp
I also would like to have Bob run all sudo commands as app20adm and app70adm, except 'sudo -i'.
I haven't been able to get not even the first part (run command as). Can anyone help? Here's what I have configured so far:
User_Alias SYSADMIN20 = john
User_Alias SYSADMIN70 = john
User_Alias APPADMIN20 = bob
User_Alias APPADMIN70 = bob
Runas_Alias SYS20ADM = sys20adm
Runas_Alias SYS70ADM = sys70adm
Runas_Alias APP20ADM = app20adm
Runas_Alias APP70ADM = app70adm
SYSADMIN20 ALL = (SYS20ADM) ALL
SYSADMIN70 ALL = (SYS70ADM) ALL
APPADMIN20 ALL = (APP20ADM) ALL , !/usr/bin/sudo -i app20adm
APPADMIN70 ALL = (APP70ADM) ALL , !/usr/bin/sudo -i app70adm
Any ideas? I also tried the defaults below, be the later overwrites the first.
Defaults:SYSADMIN20 runas_default=sys20adm
Defaults:SYSADMIN70 runas_default=sys70adm
Thanks,
Vic.