Quote:
Originally Posted by Slackyman
Code:
%groupA ALL = ALL, !/usr/bin/Widge2
%groupB ALL = ALL, !/usr/bin/Widge
But keep in mind that if a user in the groupA change directory (e.g. "cd /usr/bin") can still run "./Widge2".
I think it's better work with file permissions.
|
They don't have to change the directory. It is simple as that: if you give one user (or a group, doesn't matter) the ALL rights in the sudoers file then nothing can prevent them from doing anything, including changing the root password and logging in themselves as root or simply using visudo to change things in the sudoers file.
This approach to security will not work. The intended use of sudo is to give the users only the rights to run the applications as root which they need for their job. It is not meant to give the users all rights and then take away the rights to run some applications. This will theoretically work, but is in the real world simply not maintainable.
So the question to the OP should be: Do your users really need the right to run all applications as root?