I'm on a rehost project setting up new RHEL servers. We only have a few users, but to make life easy I set up visudo using %sysadm instead of naming each admin in the visudo file. I also have %wheel which is supposed to restrict who can sudo su - . I name the individual users in /etc/group.
Things were fine until today the ISSO tried to sudo something and was denied. As long as he is only in the %isso group, he cannot sudo, only if I add him to %wheel can he, but then he has full sudo and not the restricted sudo that I want him to have.
I fixed it for now by removing the %isso group and just naming the users in visudo, but I would like to use /etc/group for managing sudo in the future.
Any ideas?
[link][7 comments]