I issue visudo command, add this rule to the very end of the file, save the file and quit.
newuser ALL=/usr/sbin/useraddHowever newuser is still able to run such commands as
sudo passwd usernameAnd the added rule to sudoers file seems not to work. Why ?
I have logged out/in after modifying the file.
The goal is to make newuser be able to create a new user but not be able to set a password for that user.
id newuser
uid=1003(newuser) gid=1003(newuser) groups=1003(newuser),27(sudo)
visudo
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin: /usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
newuser ALL=/usr/sbin/useradd1 Answer
Your newuser has two lines that can affect it in your configuration. It belongs to sudo group, and is the user newuser. Because your user is in sudo group, it can run any command after providing the password.
You need to remove newuser from the sudo group, or adjust your configuration to suit this. Be careful that you don't lose sudo from your main account during this process!
When newuser is no longer in a group that gives it access to all commands, it will be restricted and only allowed to run useradd, as you've configured, and there will be no need to mess with or add any passwd entries, as it will have no access to that command.
The wording of your question is unclear. Is newuser able to, or not able to run any and all sudo commands? Can they or can they not run sudo passwd username? What is your goal?
You'll have to give us the /etc/sudoers file, as well as list of groups to which your newuser belongs. It is likely newuser is in the sudo group, or some other group being given access.
If you cannot run sudo passwd, you need to add a rule to allow your user to run the command, since /usr/sbin/useradd and /usr/bin/passwd are two different binaries.
Have you thought of the consequences of what you're doing? If you allow newuser to sudo passwd root, why not just give them root access (unless you actually lock it down to username)?
