Plant, Dean wrote: > I see your trying to protect your users from becoming root. You do > realise that with that sudo configuration a user can still run "sudo > /bin/bash" or any of the other shells to gain root access. > Hi Dean, I don't think that's correct. One of the purposes of the sudoers file is you can limit users to specific programs, excluding them from others. This entry, which I just tested in my CentOS5.2 box, allows the user tldap to use yum, but not /bin/bash:- tldap ALL=/usr/bin/yum Here's what happens when I try sudo as user tldap:- 2.6.18-92.1.1.el5.centos.plusxen[tldap at www ~]$ sudo yum update Loading "fastestmirror" plugin Loading "priorities" plugin Loading mirror speeds from cached hostfile * base: rsync.atworks.co.jp * updates: rsync.atworks.co.jp * centosplus: mirror.exetel.com.au * addons: mirror.exetel.com.au * extras: mirror.exetel.com.au 0 packages excluded due to repository priority protections Setting up Update Process No Packages marked for Update 2.6.18-92.1.1.el5.centos.plusxen[tldap at www ~]$ sudo /bin/bash Sorry, user tldap is not allowed to execute '/bin/bash' as root on www 2.6.18-92.1.1.el5.centos.plusxen[tldap at www ~]$ Cheers, Ian