[sudo-users] Grant permission by "digest" only?
Todd C. Miller
Todd.Miller at sudo.ws
Wed Mar 11 13:52:31 MDT 2020
On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:
> I would like to allow "sudo" to grant access to /any/ binary that
> matches the specified digest/checksum, or at least a given filename in
> any path location.... Reading the manual for sudo it appears to suggest
> that "*" matches 0 or more character, so I would hope I could match /*
> and specify a digest.
The natural way to do this with sudo would be to use the "ALL"
reserved alias. However, there is not currenlty a way to specify
a digest along with "ALL".
I just checked in support for this to what will be sudo 1.9.0 so
it will be possible in the near future. For example, you can now
do things like this:
millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA== ALL,\
sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
to allow "millert" to run any command that matches one of two
SHA-2 digests.
Sudo 1.9.0 also supports multiple digests per command so this could
be written as:
millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA==,\
sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
- todd
More information about the sudo-users
mailing list