Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Sudoers - Revoke default policy
Top Forums UNIX for Advanced & Expert Users Sudoers - Revoke default policy Post 302939315 by Chubler_XL on Tuesday 24th of March 2015 04:15:12 PM
Old 03-24-2015
Sudoers - Revoke default policy
I would like to keep my /etc/sudoers file as distributed and only use a /etc/sudoers.d drop-in file instead.

Everything is working fine except for permissions given to the wheel group in the distribution sudoers file:

Code:
## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL


I don't want people in group wheel to be able to run commands. Now I know I can comment the above line and revoke this permission, however I want to keep the sudoers file as-distributed; so my goal it to revoke these permissions in my drop-in file. I have tried the following without success:

Code:
%wheel
%wheel  ALL=(ALL) !/*

The manual has little info on revoking permissions and I'm running out of ideas.
 

6 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Revoke Kernel Access..

Hi, I need to know how to revoke the access/permission of Kernel for a group. In details, one of the group 'X' is having kernel access/permission and this group can control the Kernel at anytime. How can we revoke this permission/access ? Thanks, Rohit.. (13 Replies)
Discussion started by: ronix007
13 Replies

2. UNIX for Dummies Questions & Answers

sudoers on HP 11.11

Having a "running low on coffee" moment here & need help. On HP 11.11 where is the sudoers file located; I looked every place I could think of and don't see it. Thanks in advance:confused: (2 Replies)
Discussion started by: dhlopomo
2 Replies

3. UNIX for Dummies Questions & Answers

sudoers

i just installed/configured apache2.0 on my own aix5.3 mini server. i can start/stop apache by root, but i want to start it under my login id(admin) instead. i need to execute this command: /usr/bin/sudo /usr/IBM/HTTPServer/bin/apachectl stop/start. (5 Replies)
Discussion started by: tjmannonline
5 Replies

4. Solaris

sudoers

this is for the first time i am going to use sudoers i want know how to create sudoers and giving privileges for that users thanks in advance dinu (6 Replies)
Discussion started by: dinu
6 Replies

5. Solaris

Sudoers

Having a bit of a discussion with a software vendor about this. Can anyone confirm my understanding? /etc/sudoers file example:- user1 server1 = NOPASSWD:/usr/bin/ls -l user1 server1 = NOPASSWD:/usr/bin/file But then the following command fails (logged in on server 1 as user1) because... (2 Replies)
Discussion started by: psychocandy
2 Replies

6. Forum Support Area for Unregistered Users & Account Problems

User banned, requesting to revoke the ban.

My username is abhilashnair. I was banned recently for deleting my post. I wish to apologise for disregarding forum rules. I request you to revoke my ban and give me one more chance if possible, i assure you that I will abide by all rules henceforth Since this is really informative forum and rich... (3 Replies)
Discussion started by: Unregistered
3 Replies

LEARN ABOUT DEBIAN

pam_wheel

PAM_WHEEL(8)							 Linux-PAM Manual						      PAM_WHEEL(8)

NAME

       pam_wheel - Only permit root access to members of group wheel

SYNOPSIS

       pam_wheel.so [debug] [deny] [group=name] [root_only] [trust]

DESCRIPTION

       The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits root access to the system if the applicant
       user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0.

OPTIONS

       debug
	   Print debug information.

       deny
	   Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of
	   the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in
	   which case we return PAM_SUCCESS).

       group=name
	   Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication.

       root_only
	   The check for wheel membership is done only.

       trust
	   The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play
	   stacking the modules the wheel members may be able to su to root without being prompted for a passwd).

MODULE TYPES PROVIDED

       The auth and account module types are provided.

RETURN VALUES

       PAM_AUTH_ERR
	   Authentication failure.

       PAM_BUF_ERR
	   Memory buffer error.

       PAM_IGNORE
	   The return value should be ignored by PAM dispatch.

       PAM_PERM_DENY
	   Permission denied.

       PAM_SERVICE_ERR
	   Cannot determine the user name.

       PAM_SUCCESS
	   Success.

       PAM_USER_UNKNOWN
	   User not known.

EXAMPLES

       The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.

	   su	   auth     sufficient	   pam_rootok.so
	   su	   auth     required	   pam_wheel.so
	   su	   auth     required	   pam_unix.so

SEE ALSO

       pam.conf(5), pam.d(5), pam(7)

AUTHOR

       pam_wheel was written by Cristian Gafton <gafton@redhat.com>.

Linux-PAM Manual						    05/31/2011							      PAM_WHEEL(8)
All times are GMT -4. The time now is 04:46 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy