Users although specified in the /etc/opt/quest/vas/users.deny can have commands run under their user by using the sudo command from another user.
user@server1:~$ /opt/quest/bin/vastool list users-allowed | grep denieduser
But if used by sudo it is no problem to run commands as this user:
user@server1:~$ sudo -u denieduser touch /tmp/testfile
user@server1:~$ ls -la /tmp/testfile
-rw-r--r-- 1 denieduser staff 0 2010-03-04 13:16 /tmp/testfile
Contents of users.deny:
user@server1:~$ cat /etc/opt/quest/vas/users.deny
This is normal sudo behaviour.
However, the users in the users.deny file can be hidden from NSS to prevent the sudo to those users.
User the vas.conf option: user-hide-if-denied:
[user@server1 ~]$ /opt/quest/bin/vastool list user denied
[user@server1 ~]$ sudo -u denied date
sudo: no passwd entry for denied!
If you wish to add this change run the following command to configure:
# /opt/quest/bin/vastool configure vas nss_vas user-hide-if-denied true
Some details can be found in the vas.conf MAN entry:
user-hide-if-denied = <true | false>
Default value: false
By default, all available users are visible from the standard getpw* and getgr* functions. Setting this option to true will cause nss_vas not to return users if they are denied access according the host access control rules. This virtually hides those users as if they are not available on the system. This option is off by default. If this option is changed, the groups cache must be flushed before denied users will be excluded from membership lists returned from getgr* calls.
Note that this is a global option and will modify the behavior of nss_vas in all processes on the Unix host.
The following example shows how to hide users who are denied access from the getpw* family of functions.
user-hide-if-denied = true