how to prevent ./*
Todd C. Miller
Todd.Miller at courtesan.com
Wed Nov 12 16:16:58 EST 2003
Matching is done based on the inode and device numbers. Therefore,
if a user is allowed to run /bin/ls, "cd /bin ; sudo ./ls" will
also work (since it is the same binary). This is done to prevent
problems with NFS automounters. That doesn't mean that (in this
exmaple), "sudo ./ls" will work for _any_ "./ls" (unless you allow
the user to run ALL).
What are you really trying to prevent? If you want to allow a user
to run anything but certain commands you are really going about it
the wrong way since there will always be a away around the restrictions
you impose (--infinity is still infinity). You would be much better
off enumerating the commands you want the user to be able to run.
- todd
More information about the sudo-users
mailing list