On Thu, Jun 21, 2007 at 07:35:24AM +0930, n0dalus wrote: > >We could easily set up the sudoers file like this: > > a) for wheel-group members, auth-as-self. > > b) for non-wheel-group-members, sudo prompts for the *root* password. > I'm not sure this is possible to do with sudoers. Please post the Sure it is. Why would I have suggested it otherwise? > lines you would expect to see in the file. I think that kind of > behaviour would require patching sudo, and would be inconsistent with > the sudo documentation found anywhere on the internet. What, the man page isn't on the internet? :) You just need to do this: Defaults:ALL,!%wheel rootpw and optionally Defaults passprompt="Root password:" Defaults:%wheel passprompt="Your password:" and then ALL ALL=(ALL) ALL That last line is a bit scary but is as safe as allowing anyone to run the su command, assuming nothing screws with the Defaults line. There'd be other ways to accomplish the same goal with a little more complexity in return for a more fail-safe feeling, but you get the idea. It *is* unfortunate that there isn't a ROOTPW or ROOTPASSWD "tag" (in sudo terminology) to match the existing NOPASSWD. (And a TARGETPW, while we're at it) That'd be a slightly nicer way to do this. The upstream author might accept a patch to add that, actually. That way, you could do: ALL ALL=(ALL) ROOTPW: ALL wheel ALL=(ALL) instead of the split between the defaults line and "ALL ALL=(ALL) ALL". -- Matthew Miller mattdm@xxxxxxxxxx <http://mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
