On 15/02/2018 04:04, freeipa-users-request(a)lists.fedorahosted.org wrote:
> I wanted to ask if there is any way to exclude only one sudo
> and allow all the others.
> For example, I want to exclude "passwd" command but allow all the others
> without need to write each of the one by one.
This is more a sudo question than an IPA question but it is not
recommended to even try this.
For example, there would be nothing to stop them doing:
sudo sh -c passwd
echo passwd | sudo sh
And there are many commands which will let you get out to a shell,
directly or indirectly.