[sudo-users] [SOLVED] Re: Command with argument not working as expected
Leigh Brown
leigh at solinno.co.uk
Thu Feb 11 14:02:07 EST 2010
On Thu, February 11, 2010 3:04 pm, Gabriel Menini wrote:
> sudo-users-bounces at courtesan.com escribió el 2010-02-03 15:33:05:
>
>> Hello, list.
>>
>> Since I want users to chmod files only under certain directory, I have
>> the following in my /etc/sudoers file:
>>
>> # User alias specification
>> User_Alias ADMINS = myname,yourname
>>
>> # Cmnd alias specification
>> Cmnd_Alias CHMOD = /usr/bin/chmod /dir/where/chmod/is/allowed/*
>
> Hi,
>
> Finally, my peer found the way to set the correct syntax:
>
> Cmnd_Alias CHMOD = /usr/bin/chmod u+x /dir/where/chmod/is/allowed/*
>
> I was missing the chmod options u+x. Sure, this line only sets
> executable-by-owner bit but, it's enough for me so far.
I would recommend extreme caution when using an asterisk anywhere in
any sudo rule. The above rule also allows :-
sudo chmod u+x /dir/where/chmod/is/allowed/../../../somewhere/bad
and not to mention it matches spaces :-
sudo chmod u+x /dir/where/chmod/is/allowed/zzz /somewhere/bad
Its possible to get around this by adding the these sort of rules after
the main one, but its still a worry.
Cmnd_Alias CHMOD = /usr/bin/chmod /dir/where/chmod/is/allowed/*, \
!/usr/bin/chmod u+x *[ ]*, \
!/usr/bin/chmod u+x *../*
It would be nice if sudo supported regular expression matching. Until
then I would recommend wrapper scripts in place of any rule that
includes an asterisk.
Regards,
Leigh.
More information about the sudo-users
mailing list