Is it possible to edit the sudoers file so a user can use sudo for any command except for a specified one? I reverse is true, I believe, that the sudoers file can be setup so that a user can only execute a given list of commands.
EDIT:
the commands I really want to take away are halt and reboot… this makes me think there are special system calls for halt and reboot. Can you take system calls away from a user? If not, is it because the unix permission system abstracts over system calls neglecting this?
Best Answer
Another way to look at it is that if the users have largely unrestricted root access they can easily gain full root access.
While you might be able to work something out it would be easily circumvented.
SElinux though is a possible way, although it does take a lot to learn.