Admin Users
 

Hi Everyone,

I was wondering if anyone knows how to solve this problem.

I have a user that will create new users on a server. Lets call him "userx".

I have added him to the admin group.
Then I added the following to /etc/sudoers:
As you can see I want userx to be able to add users, change their passwords and remove users, but I do not want userx to change the root password which he does not know.

However this does not prevent userx from doing something like:

or
So how would I configure userx so that he can administer users on the server while still preventing him from actually becoming root or breaking something?
What is best practice?

http://www.gratisoft.us/sudo/sudoers.man.html

commands can be restricted.

No I get that. :rolleyes:
My question is, is there a easier way to do this than adding every single possible option that can be used with userdel, passwd related to root in sudoers.

How will you write "If anything relating to root is to be changed, then ask for root passwd"?

If you look more closely to my original post:

You can see I am not allowing "/usr/bin/passwd root" to be executed like I mentioned.

Therefore I can also add and and and until I have included

This might take a long time and some effort, but probably not as long as trying to explain it on this forum...

Near the end of the manpage is an example explaining how to use wildcards:and similar for the other commands.