On Nov 29, 2007 8:05 PM, ankush grover <ankushfedora@xxxxxxxxx> wrote: > What they require (I mean users) is to do all the > things except they cannot su/su- to become anyother user or root user, they > test ALL=(ALL) ALL, !/usr/bin/su > test2 ALL=(ALL) ALL, !/usr/bin/su test and test2 could then sudo bash And then they have an unlimited root shell. The following gets you a little closer to what you want, but never really gets you there: test myhost=(root) !/usr/bin/su,!sudo,!/bin/bash,!/bin/tcsh,!vi,!less on and on and on and on, listing every command line tool that has a "shell escape feature". In other words, what you want may be possible in theory but not in practice. But at least you have to limit them to a particular user (maybe not root but some other special user with special ownerships that you have set up). I recommend defining what commands are okay for them to use, and then doing some homework to make sure those are safe (no way to escape to a shell, which is hard to guarantee). Or only give sudo power to people you trust completely. HTH, Dave