How to disable vyos to change root's passwd


I’m using vyos1.4.

I found user vyos can change root’s paswd by sudo passwd anytime, even through I disable it in /etc/sudoers.d /vyos like this:

# Allow any user to run files in sudo-users
%users ALL=NOPASSWD: /opt/vyatta/bin/sudo-users/,!/usr/bin/sudo passwd

# Allow members of group sudo to execute any command
%sudo ALL=NOPASSWD: ALL,!/usr/bin/sudo passwd
vyos@vyos:~$ /usr/bin/sudo passwd
New password: 
Retype new password: 
passwd: password updated successfully

Is there any method to forbid user vyos to change root’s passwd?

Unfortunately this is how Linux works …

linux - Prevent SUDO from executing passwd - Super User.