[sudo-users] Grant permission by "digest" only?
A. James Lewis
james at fsck.co.uk
Wed Mar 11 22:14:18 MDT 2020
Excellent, that's exactly what I was hoping for... I'll look out for the
1.9 release!
James
On 11/03/2020 19:52, Todd C. Miller wrote:
> On Fri, 28 Feb 2020 20:05:10 +0000, "A. James Lewis" wrote:
>
>> I would like to allow "sudo" to grant access to /any/ binary that
>> matches the specified digest/checksum, or at least a given filename in
>> any path location.... Reading the manual for sudo it appears to suggest
>> that "*" matches 0 or more character, so I would hope I could match /*
>> and specify a digest.
> The natural way to do this with sudo would be to use the "ALL"
> reserved alias. However, there is not currenlty a way to specify
> a digest along with "ALL".
>
> I just checked in support for this to what will be sudo 1.9.0 so
> it will be possible in the near future. For example, you can now
> do things like this:
>
> millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA== ALL,\
> sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
>
> to allow "millert" to run any command that matches one of two
> SHA-2 digests.
>
> Sudo 1.9.0 also supports multiple digests per command so this could
> be written as:
>
> millert ALL = sha224:15EOGWc0K0YFy3OlUJRARMYxzTUUABkAlmlirA==,\
> sha224:SfVTgmXpKXtwqF843D/G3/hkAnwg2HP9B/QzXg== ALL
>
> - todd
--
ค. ﻝค๓єร ɭєฬเร (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."
More information about the sudo-users
mailing list