gistfile1.txt

(8:28:46 AM) akesterson: here's another sudoers question, which google hasn't been good at answering
(8:29:17 AM) akesterson: I have a user that is in a group (App_Admin_Puppet) that needs to be able to 
run a sudo commandin some network locations, but not others. We need one sudoers file that can express 
this everywhere, and I'd like to do it with only the one App_Admin_Puppet group.
(8:29:34 AM) akesterson: so I have a host alias that says "All hosts except ec2 internal, amz1 vpc, 
or our xyz datacenter"
(8:29:39 AM) akesterson: Host_Alias  NONPROD=DEV_SYSTEMS,!INTERNAL,!AMZ1,!XYZ
(8:29:54 AM) akesterson: then there's the line that says "if he's in the puppet application admins 
group, let him through"
(8:29:59 AM) akesterson: %App_Admin_Puppet ALL=(ALL) NOPASSWD:ALL
(8:30:22 AM) akesterson: but down at the bottom, where I'm saying "except for THIS guy, who you 
should only let it happen in the NONPROD alias", it's ignoring the alias and letting him run it 
everywhere, even on the production systems that NONPROD's ! aliases should be denying him
(8:30:30 AM) akesterson: some_user NONPROD=(ALL) NOPASSWD:ALL
(8:30:45 AM) akesterson: the location of the some_user directive in the sudoers makes no difference, 
either. same when it's above or below the %App_Admin_Puppet directive.
(8:31:38 AM) akesterson: am I gonna have to make another group just to say "these guys can do X in 
prod, but not these"?
(8:32:45 AM) akesterson: FWIW the NONPROD alias works, because I also have 
(%SystemAdministrators NONPROD=(ALL) NOPASSWD:ALL), and a member of SystemAdministrators gets 
appropriately denied