Dear Friends & Gurus

i want to create a sudo user, sudo user should not start or stop
the service.

as like a normal user i created a user called root2
and i edited the user with visudo command and added the below line
to the user root2 and got the full privilages.
root2 ALL=(ALL) ALL

i commented the below line
##Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
eventhough the sudo user root2 can start and stop the service
which i dont want to give that privilage.

Can any one guide the where am doing mistake.

Any help is appreciated
Thanks In Advance
JNReddy

right, well "ALL" means.... "ALL" You're not references the SERVICES value at all, otherwise the line would say "SERVICES" not "ALL". Read the manpage for sudoers to clear things up.

root2?? That's a really dubious choice of name, really really confusing. Remember that there should be no such thing as a "sudo user", you are meant to use NORMAL user accounts, to allow regular users to do some additional admin tasks. It sounds like you're just generally not that comfortable with the sudo framework.

Remember, if you want to stop a sudo user from doing something, you must disable all ability for them to start a shell. For example, if you give a sudo user the ability to run vi as root then they can do whatever they want because vi can spawn a shell.

I don't have a lot of experience with this, but from what I've heard auditing this can be a nightmare. Since you're using Red Hat, you might look at using the mandatory access controls of SELINUX to limit what superusers can do.

Dear acid_kewpie and btmiller

Thanks for your replies

i will try to gather some more info


Thanks
JNreddy.