Editing sudoers file to restrict a user's commands

Is it possible to edit the sudoers file so a user can use sudo for any command except for a specified one? I reverse is true, I believe, that the sudoers file can be setup so that a user can only execute a given list of commands.

EDIT: the commands I really want to take away are halt and reboot... this makes me think there are special system calls for halt and reboot. Can you take system calls away from a user? If not, is it because the unix permission system abstracts over system calls neglecting this?

Solution 1:

Another way to look at it is that if the users have largely unrestricted root access they can easily gain full root access.

While you might be able to work something out it would be easily circumvented.

SElinux though is a possible way, although it does take a lot to learn.

Solution 2:

Yes and no... You can prevent a user from running a specific file by preceding the file with a bang (!), however you cannot stop a user from copying the file to another location and then running it from there.

User_Alias    ADMINS = peter, bob, bunny, %operator

ADMINS        ALL    = !/usr/bin/su, !SHELLS

Granting Access to Specific Files as Another User

Solution 3:

To do what you want (keep the user form running halt, reboot and shutdown), you're going to have to look into SElinux stuff to prevent the user from making those syscalls. Otherwise the user will just run /bin/sh first and then run /bin/halt without going through sudo.