block setfacl to specific group in sudo
Hi All,
Am trying to block the setfacl command for sudo user (my specific requirement) as below:
%testing ALL= NOPASSWD: !/usr/bin/setfacl -m g:testing:*
Dont want sudo user to perform any setfacl operation for testing group.
Am getting below error:
@localhost ]$ sudo setfacl -m g:testing:rw- somefile/
sudo: >>> /etc/sudoers: syntax error near line 111 <<<
sudo: parse error in /etc/sudoers near line 111
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
line number 111 is :
%testing ALL= NOPASSWD: !/usr/bin/setfacl -m g:testing:*
Responses
You need to escape the colon in "g:testing" for the reason Jan posted:
Try g\:testing instead.
From sudoers man page:
"If a Cmnd has associated command line arguments, then the arguments in the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any). Note that the following characters must be escaped with a ’\’ if they are used in command arguments: ’,’, ’:’, ’=’, ’\’. The special command "sudoedit" is used to permit a user to run sudo with the -e option (or as sudoedit). It may take command line arguments just as a normal command does."
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
