Hi All,
just wondering if anyone knows the correct way to create a sudo or doas negation in lists policy (or another way) maybe alias or suid .. etc..
what Im trying to accomplish is ..
I have 1 root account
3 admins in the operator group
the admins do their daily work with sudo/doas and everything is great..
the problem is any one of the admins can issue a password reset / change for the root account..
my goal is to allow them to run passwd for users, or them self’s but disallow them to change the root password..
thanks!
guessing the proper way would include suid, alias or negotiation list.. but not sure what the best way to go about it is.. or should I just add mfa to the passwd command and controll access that way?
just wondering if anyone knows the correct way to create a sudo or doas negation in lists policy (or another way) maybe alias or suid .. etc..
what Im trying to accomplish is ..
I have 1 root account
3 admins in the operator group
the admins do their daily work with sudo/doas and everything is great..
the problem is any one of the admins can issue a password reset / change for the root account..
my goal is to allow them to run passwd for users, or them self’s but disallow them to change the root password..
thanks!
guessing the proper way would include suid, alias or negotiation list.. but not sure what the best way to go about it is.. or should I just add mfa to the passwd command and controll access that way?